View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001762 | SOGo | Backend General | public | 2012-04-09 16:00 | 2012-05-31 13:12 |
Reporter | chrroessner | Assigned To | ludovic | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | no change required | ||
Product Version | 1.3.14 | ||||
Target Version | 1.3.16 | Fixed in Version | 1.3.16 | ||
Summary | 0001762: bindAsCurrentUser issue in LDAP | ||||
Description | I enabled "bindAsCurrentUser" in the SOGoUserSources. Doing this breaks all users calendars and address books. To be precise: One user can do everything and for all other users, SOGo uses a wrong DN to bind to LDAP. In my case, I have two users, croessner and eroessner. The DN for croessner is: The DN for eroessner is: If croessner can use his calendar and address book, eroessner only receives errors and soho.log shows 404 errors. I digger deeper into this and traced my LDAP servers for this. It shows that for user eroessner, a wrong DN is used to bind: Apr 9 12:10:12 roessner1 slapd[7641]: conn=15961 fd=37 ACCEPT from IP=[2a01:4f8:131:1081:88:198:80:229]:53774 (IP=[::]:389) You can see that SOGo tries to use the de10000 entry, which normally is owned by croesner to query for eroessner information. And that mud fail, because the LDAP ACLs do not allow binding as user A and looking for attributes from user B. A temporary workaround is to disable bindAsCurrentUser. But with this, I also can not allow a user to change his or her password over the web interface, as the proxy user only does have read access to the LDAP servers. | ||||
Additional Information | sogod SOGoUserSources '( | ||||
Tags | No tags attached. | ||||
I just saw, this issue has a side effect to the administration tab in the web interface as well. While with the setting bindAsCurrentUser=YES you can not see any calendars or address books from users, all works well, if the option is disabled. |
|
Here is a sample LDIF file of user de10000: dn: uid=de10000,ou=people,ou=it,dc=roessner-net,dc=de And here are some ACLs, so you can see, why the bug came up: access to attrs=userPassword,shadowLastChange access to dn.sub="ou=it,dc=roessner-net,dc=de" access to dn.sub="ou=it,dc=roessner-net,dc=de" access to So even for the address book lookups to work, SOGo must use the proxy user and not the bindAsCurrentUser. So two problems with the same source. Do you need more information? |
|
2012-04-16 07:36
|
|
The log file I added is from the day, where I reported this issue. You can see the ping pong between users. |
|
I tested "bindAsCurrentUser = YES;" on SOGo-2.0.0 (2.0.0.20120515-1). Same result |
|
Could you reproduce this issue and provide the logs excerpts from both ldap and sogo? |
|
1st person: The user that has successful connect: sogo.log: ldap.log: Now, while this user seems to work perfectly, the other user has bad luck, because SOGo now uses the first users stuff to access the LDAP server, which must fail because of the correct LDAP ACLs! 2nd person: sogo.log: ldap.log: You now can clearly see the problem: In the second ldap.log you see that SOGo binds with the de10000 uid which belongs to croessner, but it should have bound with uid=de10008! Also, if you can fix that bug, please keep in mind that the global address book must always be bound with the cn=proxyuser and not one of the regular users. A regular user always should only have success to its own LDAP object and not to any other objects in the DIT. |
|
New additional information: If I activate bindAsCurrentUser, then all clients seem to work perfectly. All get 2xx codes in the sogo.log file. But in the moment, where the first user does a write action, say adding a new event to a calendar, all other users are broken in that moment. Do you need any further information? I do not know, what else I can deliver to you :) |
|
Problem solved. Dumping all data, purging all sql tables and fully restoring all data fixed that issue. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2012-04-09 16:00 | chrroessner | New Issue | |
2012-04-10 07:34 | chrroessner | Note Added: 0003699 | |
2012-04-10 17:28 | chrroessner | Note Added: 0003713 | |
2012-04-16 07:36 | chrroessner | File Added: sogo.log.gz | |
2012-04-16 07:37 | chrroessner | Note Added: 0003741 | |
2012-05-15 19:48 | chrroessner | Note Added: 0003910 | |
2012-05-15 21:51 |
|
Note Added: 0003912 | |
2012-05-16 08:45 | chrroessner | Note Added: 0003914 | |
2012-05-16 08:46 | chrroessner | Note Edited: 0003914 | |
2012-05-22 19:33 | chrroessner | Note Added: 0003957 | |
2012-05-22 20:15 | ludovic | Target Version | => 1.3.16 |
2012-05-23 10:09 | chrroessner | Note Added: 0003965 | |
2012-05-31 13:12 | ludovic | Status | new => resolved |
2012-05-31 13:12 | ludovic | Fixed in Version | => 1.3.16 |
2012-05-31 13:12 | ludovic | Resolution | open => no change required |
2012-05-31 13:12 | ludovic | Assigned To | => ludovic |
2012-05-31 13:12 | ludovic | Status | resolved => closed |