View Issue Details

IDProjectCategoryView StatusLast Update
0002169SOGoWeb Calendarpublic2013-04-05 14:44
Reporterryacketta Assigned Tojraby 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.0.3a 
Fixed in Version2.0.5 
Summary0002169: Possible bug with session and LDAP filtering
Description

We use an LDAP attribute to grant/deny access to SOGo.

When I set the attribute to disabled SOGo refuses my login as expected

ldapsearch -x -LLL -h *** "(uid=useruid)" accountStatusCalendar
dn: uid=useruid,ou=*
,o=**
accountStatusCalendar: disabled

As seen above, attribute is disabled and I can not login

Jan 09 14:33:05 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Jan 09 14:33:08 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Jan 09 14:33:09 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Jan 09 14:33:09 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Jan 09 14:33:10 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Jan 09 14:33:11 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Jan 09 14:33:11 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0

If I set the attribute to active I am allowed to login

[root@server ~]# ldapsearch -x -LLL -h ** "(uid=useruid)" accountStatusCalendar
dn: uid=useruid,ou=*,o=**
accountStatusCalendar: active

Jan 09 14:35:29 sogod [19916]: SOGoRootPage successful login for user 'useruid' - expire = -1 grace = -1

Now the kicker, I log out and set the attribute to disabled and yet SOGo will allow me to login until I run sogo-tool to expire sessions.

[root@server ~]# ldapsearch -x -LLL -h ** "(uid=useruid)" accountStatusCalendar
dn: uid=useruid,ou=,o=****
accountStatusCalendar: disabled

Jan 09 14:36:01 sogod [19920]: SOGoRootPage successful login for user 'useruid' - expire = -1 grace = -1

/usr/sbin/sogo-tool expire-sessions 1

Jan 09 14:45:54 sogod [20820]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0

Additional Information

filter settings in SOGo.conf

authenticationFilter = "(accountStatusCalendar=active)";
filter = "(accountStatusCalendar=active)";

If I am not mistaken authenticationFilter is only used for MySQL logins and can / should be removed.

The same filter used in SOGo.conf works for ldapsearch as well

ldapsearch -x -LLL -h * "(accountStatusCalendar=active)" uid
dn: uid=useruid,ou=**
,o=*

uid: xtester1

dn: uid=useruid,ou=**,o=*****
uid: xtester2

TagsNo tags attached.

Relationships

parent of 0001719 closedludovic Impossible to change password at logon time (pwdreset ppolicy) 
has duplicate 0002263 closed Exclude password caching 

Issue History

Date Modified Username Field Change
2013-01-09 14:49 ryacketta New Issue
2013-01-09 14:52 ludovic Status new => assigned
2013-01-09 14:52 ludovic Assigned To => jraby
2013-02-05 12:11 jraby Note Added: 0005338
2013-02-05 14:37 jraby Status assigned => feedback
2013-02-05 14:37 jraby Fixed in Version => 2.0.5
2013-02-05 14:37 jraby View Status private => public
2013-02-05 14:37 jraby Description Updated
2013-02-05 14:37 jraby Additional Information Updated
2013-02-05 14:57 jraby Description Updated
2013-03-06 09:11 jraby Relationship added has duplicate 0002263
2013-03-07 08:42 francis Relationship added parent of 0001719
2013-04-05 14:43 ludovic Status feedback => closed
2013-04-05 14:44 ludovic Resolution open => fixed