View Issue Details

IDProjectCategoryView StatusLast Update
0000905SOGoBackend Address Bookpublic2010-11-04 14:57
Reportertj Assigned Towsourdeau 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version1.3.2 
Target Version1.3.4Fixed in Version1.3.4 
Summary0000905: sogo-slapd-sockd not working
Description

Hi,

I tried to configure sogo-slapd-sockd of SOGo 1.3.2 with OpenLDAP 2.4. However, queries against the directory don't work, e.g.

ldapsearch -h sogo.example.com -b cn=personal,dc=addressbook,dc=example,dc=com -x -D uid=user,dc=addressbook,dc=example,dc=com -w password 'cn=*'

returns no matches. If SoSecurityManagerDebugEnabled set to YES, sogo-slapd-sockd will log the following:

<[so-security]>D validate permission 'Access Object' on object <0x015CADD0[SOGoContactGCSFolder]: name=personal container=0x014C4DE0/Contacts ocs=/Users/user/Contacts/personal>
<[so-security]>D possible roles for permission 'Access Object': Manager
<[so-security]>D got no user (=> auth required).

I tried to trace the problem a bit by looking at the source, but I don't know Objective-C and I'm not familiar with SOGo/SOPE architecture so I didn't find the root cause. But here's my findings.

The error comes from the method validatePermission of SoSecurityManager of SOPE, and failing piece of code is

if ((user = [self userInContext:_ctx object:_object]) == nil) {
...

In the chain this piece of SecurityManager code is called from lookupPersonalFolder method of SOGoParentFolder. The context attribute seems to be inherited from SOGoObject and is nil when validatePermission is being called. Therefore validatePermission check fails.

I tried forcing the ignoreRights parameter of lookupPersonalFolder to be true, i.e. I changed the call in lookupName method of SOGoParentFolder to be

  obj = [self lookupPersonalFolder: name
                    ignoringRights: YES];

After this change it works just great, I get the results using ldapsearch. I guess bypassing the security checks of the contacts folder is not an optimal solution, though...

TagsNo tags attached.

Activities

wsourdeau

wsourdeau

2010-11-04 14:57

viewer   ~0001701

Nice catch. I applied your fix, but directly to the code of sogo-slapd-sockd to avoid side effets. The only downside is that it will prevent lookups on subscribed addressbooks...

Fixed in e0e6c176d8cb78a7e264cc9d2f05c2cf5bfb77f5

Issue History

Date Modified Username Field Change
2010-10-13 23:41 tj New Issue
2010-10-25 17:33 ludovic Target Version => 1.3.4
2010-11-04 14:57 wsourdeau Note Added: 0001701
2010-11-04 14:57 wsourdeau Status new => resolved
2010-11-04 14:57 wsourdeau Fixed in Version => 1.3.4
2010-11-04 14:57 wsourdeau Resolution open => fixed
2010-11-04 14:57 wsourdeau Assigned To => wsourdeau