Univention Bugzilla – Bug 36949
saslauthd cache delays authentication relevant LDAP-changes for IMAP/SMTP login for hours
Last modified: 2017-05-02 11:57:23 CEST
saslauthd caches successfull authentications for 8 hours. If an account has to be blocked or if passwords are changed, it takes also up to 8 hours until the security relevant change is enforced. This is confusing and in some situations a security risk. If possible, a listener plugin should invalidate an account in the saslauthd cache after a relevant LDAP change; if this is not possible by account we should review the risk of invalidating the whole sasl cache. see also Bug #27981
We decided to decrease the cache time to 30 minutes (via UCR). If it is possible, we should invalidate a user in the saslauthd cache but I think it isn't possible to invalidate just one user. Furthermore, a section how to increase the cache time should be added to the peformance guide. In the manual we should add a note that the saslauthd should be restarted if a user was disabled.
univention-sasl: Added mail/saslauthd/cache/timeout (default 1800 [s]) to univention-sasl to define the cache timeout (saslauthd -t) performance-guide-4.0.xml: Added section Mailserver mail-de.xml/mail-ed.xml: Added note to "Assignment of e-mail addresses to users" YAML: 2014-12-12-univention-sasl.yaml
OK: YAML OK: functional check tail -f /var/log/auth.log & watch testIMAP -s $HOST -u $USER -p $PWD ==> each saslauthd process drops its cache after the specified timeout. REOPEN: code review UCR variable description should be reworded. Everything else is ok. ---[suggestion]--- [mail/saslauthd/cache/timeout] Description[de]=Timeout für den Authentifizierungs-Cache in Sekunden Description[en]=Timeout of the authentication cache in seconds ---[cut]--- > performance-guide-4.0.xml: Added section Mailserver > > mail-de.xml/mail-ed.xml: Added note to "Assignment of e-mail addresses to > users" Made some changes (syntax and text) to the manual.
(In reply to Sönke Schwardt-Krummrich from comment #3) > OK: YAML > > OK: functional check > tail -f /var/log/auth.log & watch testIMAP -s $HOST -u $USER -p $PWD > ==> each saslauthd process drops its cache after the specified timeout. > > REOPEN: code review > UCR variable description should be reworded. Everything else is ok. > ---[suggestion]--- > [mail/saslauthd/cache/timeout] > Description[de]=Timeout für den Authentifizierungs-Cache in Sekunden > Description[en]=Timeout of the authentication cache in seconds > ---[cut]--- ok, i updated the description and rebuild the package for errata4.0-0 2014-12-12-univention-sasl.yaml
OK: UCR description change OK: YAML
<http://errata.univention.de/ucs/4.0/67.html>
*** Bug 27981 has been marked as a duplicate of this bug. ***