Bug 36949 - saslauthd cache delays authentication relevant LDAP-changes for IMAP/SMTP login for hours
saslauthd cache delays authentication relevant LDAP-changes for IMAP/SMTP log...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-0-errata
Assigned To: Felix Botner
Sönke Schwardt-Krummrich
:
: 27981 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-24 09:04 CET by Ingo Steuwer
Modified: 2017-05-02 11:57 CEST (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2014-11-24 09:04:01 CET
saslauthd caches successfull authentications for 8 hours.

If an account has to be blocked or if passwords are changed, it takes also up to 8 hours until the security relevant change is enforced. This is confusing and in some situations a security risk.

If possible, a listener plugin should invalidate an account in the saslauthd cache after a relevant LDAP change; if this is not possible by account we should review the risk of invalidating the whole sasl cache.

see also Bug #27981
Comment 1 Stefan Gohmann univentionstaff 2014-12-04 09:05:11 CET
We decided to decrease the cache time to 30 minutes (via UCR). If it is possible, we should invalidate a user in the saslauthd cache but I think it isn't possible to invalidate just one user.

Furthermore, a section how to increase the cache time should be added to the peformance guide. In the manual we should add a note that the saslauthd should be restarted if a user was disabled.
Comment 2 Felix Botner univentionstaff 2014-12-15 16:18:38 CET
univention-sasl: Added mail/saslauthd/cache/timeout (default 1800 [s]) to 
  univention-sasl to define the cache timeout (saslauthd -t)

performance-guide-4.0.xml: Added section Mailserver

mail-de.xml/mail-ed.xml: Added note to "Assignment of e-mail addresses to users"


YAML: 2014-12-12-univention-sasl.yaml
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2015-01-28 17:44:04 CET
OK: YAML

OK: functional check
    tail -f /var/log/auth.log & watch testIMAP -s $HOST -u $USER -p $PWD
    ==> each saslauthd process drops its cache after the specified timeout.

REOPEN: code review
        UCR variable description should be reworded. Everything else is ok.
---[suggestion]---
[mail/saslauthd/cache/timeout]
Description[de]=Timeout für den Authentifizierungs-Cache in Sekunden
Description[en]=Timeout of the authentication cache in seconds
---[cut]---

> performance-guide-4.0.xml: Added section Mailserver
> 
> mail-de.xml/mail-ed.xml: Added note to "Assignment of e-mail addresses to
> users"

Made some changes (syntax and text) to the manual.
Comment 4 Felix Botner univentionstaff 2015-02-02 13:16:51 CET
(In reply to Sönke Schwardt-Krummrich from comment #3)
> OK: YAML
> 
> OK: functional check
>     tail -f /var/log/auth.log & watch testIMAP -s $HOST -u $USER -p $PWD
>     ==> each saslauthd process drops its cache after the specified timeout.
> 
> REOPEN: code review
>         UCR variable description should be reworded. Everything else is ok.
> ---[suggestion]---
> [mail/saslauthd/cache/timeout]
> Description[de]=Timeout für den Authentifizierungs-Cache in Sekunden
> Description[en]=Timeout of the authentication cache in seconds
> ---[cut]---

ok, i updated the description and rebuild the package for errata4.0-0


2014-12-12-univention-sasl.yaml
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2015-02-04 11:04:50 CET
OK: UCR description change
OK: YAML
Comment 6 Janek Walkenhorst univentionstaff 2015-02-04 15:54:45 CET
<http://errata.univention.de/ucs/4.0/67.html>
Comment 7 Daniel Tröder univentionstaff 2017-05-02 11:57:23 CEST
*** Bug 27981 has been marked as a duplicate of this bug. ***