0002867: ACL caching with LDAP Groups - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0002867	SOGo	Backend General	public	2014-07-22 10:14	2016-09-27 23:59

Reporter	Gunnar Weissmann	Assigned To	francis
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	[Server] Linux	OS	Debian	OS Version	7 (Wheezy)
Product Version	2.2.6
Fixed in Version	3.2.0

Summary	0002867: ACL caching with LDAP Groups
Description	We tested ACLs with users and everything worked as expected; all user rights are set immediately. But when we do this with LDAP Groups the (e.g. removed) ACLs are not immediately active. That means, removed rights to edit events are still active for a while. When we restarted the memcached the rights are immediately active. We think the problem is, that the memcached caches incorrectly the ACLs of LDAP groups. The database entry for the ACLs (@GROUPNAME) is added/removed correctly. We expect, that no ACLs from LDAP-groups are cached with memcached. Thanks for your support. Gunnar Weissmann
Additional Information	Reverse Proxy: nginx 1.6 Client: Webinterface (Firefox 30.0/OS X 10.9.4)
Tags	No tags attached.

Gunnar Weissmann 2015-04-08 12:11 reporter ~0008399	We have a seconds issue: When we disabled the Login in the LDAP it was still able to login until we restarted the memcached client. We expect that also ldap rights are not cached. Are there any plans to review this issue? Thank you.

ludovic 2015-04-08 12:38 administrator ~0008400	Not really since this would mean SOGo would have to check the LDAP server (for groups or removed logins) every time, rendering useless the whole purpose of the cache. Just lower SOGoCacheCleanupInterval if you want.

ThomasRZ 2016-03-22 18:16 reporter ~0009805	We are having similar problems: user rights are set immediately This means the moment I want to subscribe to a users resource, SOGo looks up if I have the required rights? group rights are set after restarting memcached Isn't a similar process like above possible here? All acl's of every resource of the explicit user I want to subscribe to is looked through (groups are decomposed) to check if I have the required rights?

sogo: master 44aa1352 2016-09-26 16:22 francis Details Diff	Caching expiration of ACLs assigned to LDAP groups Fixes 0002867	Affected Issues 0002867
	mod - NEWS	Diff File
	mod - SoObjects/SOGo/SOGoGCSFolder.m	Diff File
sogo: v2 5ada0024 2016-09-26 16:22 francis Details Diff	Caching expiration of ACLs assigned to LDAP groups Fixes 0002867	Affected Issues 0002867
	mod - NEWS	Diff File
	mod - SoObjects/SOGo/SOGoGCSFolder.m	Diff File

Date Modified	Username	Field	Change
2014-07-22 10:14	Gunnar Weissmann	New Issue
2015-04-08 12:11	Gunnar Weissmann	Note Added: 0008399
2015-04-08 12:38	ludovic	Note Added: 0008400
2016-03-22 18:16	ThomasRZ	Note Added: 0009805
2016-09-26 21:22	francis	Changeset attached	=> sogo master 44aa1352
2016-09-26 21:22	francis	Assigned To	=> francis
2016-09-26 21:22	francis	Resolution	open => fixed
2016-09-26 21:27	francis	Changeset attached	=> sogo v2 5ada0024
2016-09-27 23:59	ludovic	Status	new => resolved
2016-09-27 23:59	ludovic	Fixed in Version	=> 3.2.0