0002169: Possible bug with session and LDAP filtering - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0002169	SOGo	Web Calendar	public	2013-01-09 19:49	2013-04-05 18:44

Reporter	ryacketta	Assigned To	~~jraby~~
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.0.3a
Fixed in Version	2.0.5

Summary	0002169: Possible bug with session and LDAP filtering
Description	We use an LDAP attribute to grant/deny access to SOGo. When I set the attribute to disabled SOGo refuses my login as expected ldapsearch -x -LLL -h *** "(uid=useruid)" accountStatusCalendar dn: uid=useruid,ou=,o=* accountStatusCalendar: disabled As seen above, attribute is disabled and I can not login Jan 09 14:33:05 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 Jan 09 14:33:08 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 Jan 09 14:33:09 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 Jan 09 14:33:09 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 Jan 09 14:33:10 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 Jan 09 14:33:11 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 Jan 09 14:33:11 sogod [19916]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 If I set the attribute to active I am allowed to login [root@server ~]# ldapsearch -x -LLL -h ** "(uid=useruid)" accountStatusCalendar dn: uid=useruid,ou=,o=* accountStatusCalendar: active Jan 09 14:35:29 sogod [19916]: SOGoRootPage successful login for user 'useruid' - expire = -1 grace = -1 Now the kicker, I log out and set the attribute to disabled and yet SOGo will allow me to login until I run sogo-tool to expire sessions. [root@server ~]# ldapsearch -x -LLL -h "(uid=useruid)" accountStatusCalendar dn: uid=useruid,ou=,o=** accountStatusCalendar: disabled Jan 09 14:36:01 sogod [19920]: SOGoRootPage successful login for user 'useruid' - expire = -1 grace = -1 /usr/sbin/sogo-tool expire-sessions 1 Jan 09 14:45:54 sogod [20820]: SOGoRootPage Login for user 'useruid' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Additional Information	filter settings in SOGo.conf authenticationFilter = "(accountStatusCalendar=active)"; filter = "(accountStatusCalendar=active)"; If I am not mistaken authenticationFilter is only used for MySQL logins and can / should be removed. The same filter used in SOGo.conf works for ldapsearch as well ldapsearch -x -LLL -h * "(accountStatusCalendar=active)" uid dn: uid=useruid,ou=*,o= uid: xtester1 dn: uid=useruid,ou=**,o=********* uid: xtester2
Tags	No tags attached.

Date Modified	Username	Field	Change
2013-01-09 19:49	ryacketta	New Issue
2013-01-09 19:52	ludovic	Status	new => assigned
2013-01-09 19:52	ludovic	Assigned To	=> jraby
2013-02-05 17:11	~~jraby~~	Note Added: 0005338
2013-02-05 19:37	~~jraby~~	Status	assigned => feedback
2013-02-05 19:37	~~jraby~~	Fixed in Version	=> 2.0.5
2013-02-05 19:37	~~jraby~~	View Status	private => public
2013-02-05 19:37	~~jraby~~	Description Updated
2013-02-05 19:37	~~jraby~~	Additional Information Updated
2013-02-05 19:57	~~jraby~~	Description Updated
2013-03-06 14:11	~~jraby~~	Relationship added	has duplicate 0002263
2013-03-07 13:42	francis	Relationship added	parent of 0001719
2013-04-05 18:43	ludovic	Status	feedback => closed
2013-04-05 18:44	ludovic	Resolution	open => fixed