Univention Bugzilla – Bug 55424
make SAML identity cache database configurable
Last modified: 2023-12-19 12:12:04 CET
The current SAML identity cache has problems with concurrent write operations. Therefor we should make it configurable via UCR if a in-memory storage should be used or a shelve/bdb database. +++ This bug was initially created as a clone of Bug #54880 +++ The following traceback shows, if you are login with saml on a school replica. UCS: 5.0-1 errata310 Installed: cups=2.2.1 dhcp-server=12.0 prometheus-node-exporter=2.0.1 radius=5.0 samba4=4.13 squid=3.5 ucsschool=5.0 v1 4.4/ucsschool-veyon-proxy=1.1 Upgradable: 17.06.22 15:28:30.238 MAIN ( ERROR ) : Traceback (most recent call last): File "/usr/lib/python3/dist-packages/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/usr/lib/python3/dist-packages/cherrypy/lib/encoding.py", line 220, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/usr/lib/python3/dist-packages/cherrypy/_cpdispatch.py", line 60, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1258, in index return acs(binding, message, relay_state) File "/usr/sbin/univention-management-console-web-server", line 1281, in attribute_consuming_service_iframe response = self.acs(message, binding) File "/usr/sbin/univention-management-console-web-server", line 1395, in acs response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "/usr/lib/python3/dist-packages/saml2/client_base.py", line 717, in parse_authn_request_response self.users.add_information_about_person(resp.session_info()) File "/usr/lib/python3/dist-packages/saml2/population.py", line 27, in add_information_about_person session_info["not_on_or_after"]) File "/usr/lib/python3/dist-packages/saml2/cache.py", line 129, in set self._db[cni] = data File "/usr/lib/python3.7/shelve.py", line 125, in __setitem__ self.dict[key.encode(self.keyencoding)] = f.getvalue() _dbm.error: cannot add item to database I have no idea were this comes from and what the root cause is. Restarting the services does not fix the problem.
We should make the in-memory store the default, I think
The SAML identity cache is now configurable via UCR variable umc/saml/in-memory-identity-cache. By default it is used, except when multiprocessing is enabled via umc/http/processes at the time of the upgrade. univention-management-console.yaml b827e4fd5652 | feat(umc saml): make SAML identity cache configurable univention-management-console (12.0.13-3) b827e4fd5652 | feat(umc saml): make SAML identity cache configurable
umc/saml/in-memory-identity-cache=true: OK umc/saml/in-memory-identity-cache=false: OK YAML: OK
<https://errata.software-univention.de/#/?erratum=5.0x485>