| Summary | gollem ftp login performed while not needed |
| Queue | Horde Groupware Webmail Edition |
| Queue Version | 5.0.4 |
| Type | Bug |
| State | Not A Bug |
| Priority | 3. High |
| Owners | |
| Requester | maciej.uhlig (at) us (dot) edu (dot) pl |
| Created | 05/23/2013 (4424 days ago) |
| Due | 05/23/2013 (4424 days ago) |
| Updated | 05/25/2013 (4422 days ago) |
| Assigned | |
| Resolved | 05/25/2013 (4422 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
to gollem ftp disk (gollem:backends:ftp). Now it works correctly.
You can close this issue. Thank you.
needed because of lack of permission to do it.
attempting transparent authentication *if* the user is already
authenticated to Horde.
Not sure if this is too broad or prevents a valid use case though. If
so, this check can be done in an application that handles transparent
authentication instead (imp, gollem).
authentication requests to gollem, either 1) your config is wrong or
point of view the problem is as follows: user doesn't have permission
to run gollem (i.e. there are individual users who have the read
permission for gollem so I assume my test user doesn't have one).
Nevertheless horde attempts to make ftp login using this user
credentials (hordeauth = full) and it fails after several seconds. Ftp
login attempt is tried several times and test user has to wait a
minute or so for login which is not acceptable.
In my opinion horde shouldn't attempt to ftp login while it is not
needed because of lack of permission to do it.
May I send you offline cachegrind.out trace of the case?
transparent authentication shouldn't require any application
permission checks, since transparent auth does not require a user and,
therefore, permission checks may be impossible.
Example: gollem might have no permissions for guest users. But
transparent authentication is setup so that, if connecting from a
certain IP address, the user is automatically logged in. Obviously,
we can't check for application permissions here or else transparent
authentication would never occur.
Seems to me that if you are seeing multiple failing transparent
authentication requests to gollem, either 1) your config is wrong or
2) gollem's transparent authentication is incorrect. But I don't see
any issue here with the registry's handling of authentication (maybe
an optimization - failing authentication requests in a session can be
cached - but that's not a bug).
Priority ⇒ 3. High
Type ⇒ Bug
Summary ⇒ gollem ftp login performed while not needed
Due ⇒ 05/23/2013
Queue ⇒ Horde Groupware Webmail Edition
Milestone ⇒
Patch ⇒ No
State ⇒ Unconfirmed
tries to do ftp_login and user authorization even for those users who
don't have gollem disk (and permission to use gollem). This leads to
very long wait for horde screen display. ftp_login is called 8 times
for one login (yes) and it makes some 30 seconds extra to wait for
login.
Horde registry initialization should only be performed for these
applications which user has permission to use.
Generally speaking, the reason is as follows:
- for every active application, Horde_Registry->hasPermission is
called in listApps()
- hasPermission() makes isAuthenticated() check
- isAuthenticated() tries transparent authentication
- then callAppMethod() is called with 'noperms' => true
- and finally Gollem_Auth performs ftp_login
Until now application permissions, although defined, are not checked.