View Issue Details

IDProjectCategoryView StatusLast Update
0002279SOGoBackend Generalpublic2013-04-09 15:05
Reporterbofhus Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.0.4b 
Target Version2.0.5Fixed in Version2.0.5 
Summary0002279: Session lost after SOGoCacheCleanupInterval
Description

Hi :)

This is NOT "missing OCSSessionsFolderURL" issue.

OCSSessionsFolderURL is set and working - session entry appears in MySQL database. But every time after inactivity longer then SOGoCacheCleanupInterval SOGo redirect me to the login page.

I tried to debug it myself. First I added debug logs in SOGoSession.m:
In line 72, after "if(d) {" I added "NSLog(@"BJ-DEBUG1 %@",d);".

In the log appears full session record from MySQL.

Then I added debug logs in SOGoWebAuthenticator.m:
In line 103, after "[SOGoSession decodeValue: ... ]" I added

NSLog(@"BJ-DEBUG2 %@",value);
NSLog(@"BJ-DEBUG3 %@ %@ %@",username,domain,password);

The same lines appears in the log for memcached and MySQL checks:
2013-03-29 19:45:40.183 sogod[19728] BJ-DEBUG1 {"c_creationdate" = 13645...
2013-03-29 19:45:40.191 sogod[19728] BJ-DEBUG2 m5JLAs/AMyS...
2013-03-29 19:45:40.191 sogod[19728] BJ-DEBUG3 bogdan@bingo.mydomain.com.pl (null) password

This first log line appears only for MySQL check, of course.

Could you help me and give some advices, where to search?

Boguslaw Juza

TagsNo tags attached.

Activities

2013-03-29 23:38

 

debug1 (1,120 bytes)   
<32 get session:KEbT8bxYNsidTvEv7oJ60w== 
>32 END
<32 set session:KEbT8bxYNsidTvEv7oJ60w== 0 10 216
>32 STORED
<32 get session:KEbT8bxYNsidTvEv7oJ60w== 
>32 sending key session:KEbT8bxYNsidTvEv7oJ60w==
>32 END
<32 get bogdan@bingo.mydomain.com.pl+attributes 
>32 END
<32 set bogdan@bingo.mydomain.com.pl+attributes 0 10 56
>32 STORED
<32 get u00001-bingo+attributes 
>32 END
<32 set u00001-bingo+attributes 0 10 264
>32 STORED
<32 set bogdan@bingo.mydomain.com.pl+attributes 0 10 264
>32 STORED
<32 set u00001-bingo@bingo.mydomain.com.pl+attributes 0 10 264
>32 STORED
<32 get session:KEbT8bxYNsidTvEv7oJ60w== 
>32 sending key session:KEbT8bxYNsidTvEv7oJ60w==
>32 END
<32 get session:KEbT8bxYNsidTvEv7oJ60w== 
>32 sending key session:KEbT8bxYNsidTvEv7oJ60w==
>32 END
<32 set bogdan@bingo.mydomain.com.pl+attributes 0 10 320
>32 STORED
<32 get bogdan@bingo.mydomain.com.pl@bingo.mydomain.com.pl+attributes 
>32 END
<32 set bogdan@bingo.mydomain.com.pl@bingo.mydomain.com.pl+attributes 0 10 4
>32 STORED
<32 get anonymous+defaults 
>32 END
<32 get u00001-bingo+attributes 
>32 sending key u00001-bingo+attributes
>32 END
debug1 (1,120 bytes)   
bofhus

bofhus

2013-03-29 23:41

reporter   ~0005456

Last edited: 2013-03-29 23:43

I started memcached in debug mode and I logged dump attached above. It was catched after iddle > SOGoCacheCleanupInterval

bofhus

bofhus

2013-03-29 23:50

reporter   ~0005458

LDAP user record:

dn: cn=u00001,o=bingo,dc=mydomain,dc=local
objectClass: top
objectClass: person
objectClass: knkPerson
cn: u00001
o: bingo
mail: bogdan@bingo.mydomain.com.pl
uid: u00001-bingo
knkMailQuota: 8192
userPassword: {SSHA}cutted
displayName: Boguslaw Juza
givenName: Boguslaw
sn: Juza

From SOGo config file:

CNFieldName = displayName;
UIDFieldName = uid;
bindFields = ( mail };
id = bingo;
filter = "(o='bingo' AND NOT knkDisable='*')";

bofhus

bofhus

2013-04-02 11:40

reporter   ~0005469

The SOGoEnableDomainBasedUID flag is set to NO in my config file. If I change it to YES, session works correctly. But SOGo adds domain name to UID and to e-mail, so it creates bogdan@bingo.mydomain.com.pl@bingo.mydomain.com.pl.

I have unique uids in all domains and I do not want to use domain-based UIDs.
But while SOGo is recreating memcached entries, it forces it. In memcached debug log these enteries appears:

<31 set bogdan@bingo.mydomain.com.pl@bingo.mydomain.com.pl+attributes 0 10 4

31 STORED

jraby

jraby

2013-04-03 10:45

viewer   ~0005481

I reproduced the issue here.

Here's the simplest config to reproduce the bug:

<pre>
domains = {
acme.com = {
SOGoMailDomain = acme.com;
SOGoUserSources = (
{
CNFieldName = cn;
IDFieldName = uid;
UIDFieldName = uid;
baseDN = "ou=acme,dc=example,dc=com";
bindDN = "cn=admin,dc=example,dc=com";
bindPassword = sogo;
bindFields = (mail);
canAuthenticate = YES;
displayName = "Acme Shared Addresses";
hostname = "ldap://127.0.0.1:3389/";
id = acme_directory;
isAddressBook = YES;
type = ldap;
},
);
};
</pre>

Sample user ldap entry:
<pre>
dn: uid=acme1,ou=acme,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: Acme One
sn: One
givenName: Acme
homePhone: +1 (123) 456-7890
l: Vladivostok
mail: acme1@acme.com
telephoneNumber: +1 (120) 987-6543
uid: acme1
userPassword:: e1NTSEF9K1IxWUlCZTJaaEVCa084MkJRUWhsdDgyZHc4S1RGWkZlUjJDQXc9P
Q==
</pre>

  • Shutdown memcached
  • try to login as acme1@acme.com... it won't work, you'll be redirected to the login page infinitely

It seems to happen only if bindfields contains (mail).

jraby

jraby

2013-04-09 13:48

viewer   ~0005501

This should be fixed in the next nightly build: https://github.com/inverse-inc/sogo/commit/eec8c07d4f061a2006bd7ec9967a2b1c92e7618b

Note that the data returned by the UIDFieldName attribute (uid in the example above) MUST still be unique across the entire SOGo installation.

So, a setup like this will NOT work:
<pre>
dn: uid=jdoe,ou=acme,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: John Doe
sn: Doe
givenName: John
mail: john@acme.com
telephoneNumber: +1 (120) 987-6543
uid: jdoe
userPassword: patate

dn: uid=jdoe,ou=coyote,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: Jack Doe
sn: Doe
givenName: John
mail: jack@coyote.com
telephoneNumber: +1 (120) 987-6543
uid: jdoe
userPassword: patate
</pre>

Even if the complete DN is different, since both users shares the same 'uid' value, sogo will consider this as being the same user (they will end up using the same database tables behind the scenes...)
Keep this in ming when designing your ldap server, make sure to assign a unique uid value to each user.

bofhus

bofhus

2013-04-09 14:59

reporter   ~0005502

This patch fixes this issue and session is now preserved after longer idle time. Thanks! :)

I have UIDs created by scheme CN-OU, so they are unique across the entire SOGo.

Issue History

Date Modified Username Field Change
2013-03-29 15:53 bofhus New Issue
2013-03-29 23:38 bofhus File Added: debug1
2013-03-29 23:41 bofhus Note Added: 0005456
2013-03-29 23:43 bofhus Note Edited: 0005456
2013-03-29 23:50 bofhus Note Added: 0005458
2013-04-02 11:40 bofhus Note Added: 0005469
2013-04-03 10:45 jraby Note Added: 0005481
2013-04-09 13:48 jraby Note Added: 0005501
2013-04-09 13:48 jraby Status new => feedback
2013-04-09 14:59 bofhus Note Added: 0005502
2013-04-09 15:05 ludovic Target Version => 2.0.5
2013-04-09 15:05 ludovic Status feedback => closed
2013-04-09 15:05 ludovic Resolution open => fixed
2013-04-09 15:05 ludovic Fixed in Version => 2.0.5