6.0.0-git
2019-03-18

[#12271] gollem ftp login performed while not needed
Summary gollem ftp login performed while not needed
Queue Horde Groupware Webmail Edition
Queue Version 5.0.4
Type Bug
State Not A Bug
Priority 3. High
Owners
Requester maciej.uhlig (at) us (dot) edu (dot) pl
Created 2013-05-23 (2125 days ago)
Due 05/23/2013 (2125 days ago)
Updated 2013-05-25 (2123 days ago)
Assigned
Resolved 2013-05-25 (2123 days ago)
Milestone
Patch No

History
2013-05-25 20:35:58 Michael Slusarz State ⇒ Not A Bug
 
2013-05-25 12:19:20 maciej (dot) uhlig (at) us (dot) edu (dot) pl Comment #5 Reply to this comment
your config is wrong
Actually Michael was right. I didn't define all levels of permissions 
to gollem ftp disk (gollem:backends:ftp). Now it works correctly.

You can close this issue. Thank you.
2013-05-24 13:31:55 Michael Slusarz Comment #4 Reply to this comment
In my opinion horde shouldn't attempt to ftp login while it is not 
needed because of lack of permission to do it.
Maybe the solution is to check for application permissions when 
attempting transparent authentication *if* the user is already 
authenticated to Horde.

Not sure if this is too broad or prevents a valid use case though.  If 
so, this check can be done in an application that handles transparent 
authentication instead (imp, gollem).
2013-05-24 05:43:11 maciej (dot) uhlig (at) us (dot) edu (dot) pl Comment #3 Reply to this comment
Seems to me that if you are seeing multiple failing transparent 
authentication requests to gollem, either 1) your config is wrong or
This is of course possible although I can't see my fault. From my 
point of view the problem is as follows: user doesn't have permission 
to run gollem (i.e. there are individual users who have the read 
permission for gollem so I assume my test user doesn't have one). 
Nevertheless horde attempts to make ftp login using this user 
credentials (hordeauth = full) and it fails after several seconds. Ftp 
login attempt is tried several times and test user has to wait a 
minute or so for login which is not acceptable.

In my opinion horde shouldn't attempt to ftp login while it is not 
needed because of lack of permission to do it.

May I send you offline cachegrind.out trace of the case?

2013-05-24 04:56:55 Michael Slusarz Comment #2 Reply to this comment
Until now application permissions, although defined, are not checked.
This doesn't sound right.

transparent authentication shouldn't require any application 
permission checks, since transparent auth does not require a user and, 
therefore, permission checks may be impossible.

Example: gollem might have no permissions for guest users.  But 
transparent authentication is setup so that, if connecting from a 
certain IP address, the user is automatically logged in.  Obviously, 
we can't check for application permissions here or else transparent 
authentication would never occur.

Seems to me that if you are seeing multiple failing transparent 
authentication requests to gollem, either 1) your config is wrong or 
2) gollem's transparent authentication is incorrect.  But I don't see 
any issue here with the registry's handling of authentication (maybe 
an optimization - failing authentication requests in a session can be 
cached - but that's not a bug).
2013-05-23 13:03:24 maciej (dot) uhlig (at) us (dot) edu (dot) pl Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 3. High
Summary ⇒ gollem ftp login performed while not needed
Due ⇒ 2013-05-23
Queue ⇒ Horde Groupware Webmail Edition
Milestone ⇒
Patch ⇒ No
Reply to this comment
Namely, while gollem application has 'active' registry status, horde 
tries to do ftp_login and user authorization even for those users who 
don't have gollem disk (and permission to use gollem). This leads to 
very long wait for horde screen display. ftp_login is called 8 times 
for one login (yes) and it makes some 30 seconds extra to wait for 
login.

Horde registry initialization should only be performed for these 
applications which user has permission to use.

Generally speaking, the reason is as follows:

- for every active application, Horde_Registry->hasPermission is 
called in listApps()
- hasPermission() makes isAuthenticated() check
- isAuthenticated() tries transparent authentication
- then callAppMethod() is called with 'noperms' => true
- and finally Gollem_Auth performs ftp_login

Until now application permissions, although defined, are not checked.

Saved Queries