(ITS#4760) problem with group caching and proxyAuth control

Gerald Richter wrote:
>> I'm not sure I understand the issue you describe. 
In fact, 
>> groups appear to be cached on a per-operation
basis, and user 
>> membership is evaluated using the authorized
identity (B in 
>> your case), so the behavior should be correct. 
I've made a 
>> simple check using re23 and things appear to work
as 
>> expected: I log in as a user (A) that is not in a
group and 
>> authorize as a user (B) that is in that group.  I
previously 
>> configured slapd so that only members of that group
are 
>> allowed to read an attribute in the whole db (say
"cn").  
>> Things work as expected: if I login as user A I
can't see 
>> "cn", but if I either log in as user B,
or login as user A 
>> and proxyAuthz as B I can read the "cn". 
Can you provide a 
>> simple example (slapd.conf, db.ldif and sequence of

>> operations, e.g. in a shell script) that causes the
issue you see?
>>
>>     
>
> I think the point is that the group must be evaluated
already in the search
> for the AuthzTo attribute.
>
> So my User A has the AuthzTo attribute set to User B
and I have the
> following access control:
>
>
> access to * 
>         by
group/accessCTRL/uniqueMember="cn=Admins,dc=testuml,dc=
test"
> write
>         by * break
>
> ...
>
>
> access to * attrs=authzTo
>         by self read
>         by * break
>
> ...
>
> User A is not member of cn=Admins,dc=testuml,dc=test,
but user B is. So when
> I log in as user A and proxyAuth to Openldap will
evaluate the group
> membership for A and cache it, during the search for
the ACL to authzTo. A
> is not member. 
>   
> Now when the actual search operation takes places,
openldap will used the
> cached result (which was "is not member"),
which is wrong because the user
> has changed since the group membership was cached.
>
> I hope this makes the problem more clear (I have a test
environment here,
> but it is very complex and easy transferable)
>   
OK, I see.  In my test ACLs for authzTo didn't make use of
groups.  It 
makes sense to clear out identity related cached stuff when
the identity 
changes.  What I'm looking for is a __simple__ test that
exploits the 
feature.  This would allow to clearly spot the issue in the
first place, 
and prepare a regression test.  I'll do some more testing.

p.




Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masaratisys-net.it
------------------------------------------

If it isn't too late, before you do anything, make a backup
copy of your PST 
files somewhere safe, away from where you are messing around
with the 
current files.

I would also run the tool to save your office settings.

You may not want to restore old settings because they don't
work, but you do 
want to be in a position to be able to restore your stuff to
where you are 
now.

MK




----- Original Message ----- 
From: "Steve Szabo" <stevelandoctor.com>
To: <outlook-users@yahoogroups.com>
Sent: Friday, November 24, 2006 1:19 AM
Subject: RE: Contact problem


> SCANPST is meant to check your Outlook PST file, which
is a database, and
> repair any problems it may detect. When you use it, it
should be run until
> no detectable errors are present. SCANDISK is a program
for older versions
> of windows, through Windows ME, and is no longer
available. For Windows 
> 2000
> and XP, you run a program called CHKDSK which can be
invoked by opening My
> Computer, right clicking on a hard drive, most likely
just one, C:, is
> available to you, and selecting Properties. Select the
Tools tab, and then
> select the Check now button. In the pop-up that opens
check both options 
> and
> OK. If your drive has been prepared properly, it is
formatted with the 
> NTFS
> file system you will be notified that the volume is not
available for 
> error
> checking, and it will be run at the next startup. Click
OK and then 
> restart
> your machine to allow it to run. If disk errors are
found, they should be
> repaired, and you will see the notification, if there
are no errors the
> program will run to completion. Then your machine will
proceed with a 
> normal
> startup.
>
> To check to see if the problem is within the PST
structure you currently
> have, create a new PST file, then try to populate it
with new entries that
> have comments added. If this works, import the data
from your old PST file
> to the new and remove the old from your profile. If
this is not the
> solution, then delete the new PST file, delete your
profile, and recreate
> the profile. Please note that if you do not have the
information recorded
> from your current profile, make a note of it before
removing it.
>
> Report the results of your efforts back here. The next
step is pretty
> drastic and we want to ensure the previous steps have
not resolved your
> issue.
>
>
> \Steve//
> -----Original Message-----
> From: outlook-users@yahoogroups.com
[mailto:outlook-users@yahoogroups.com]
> On Behalf Of BOB TAYLOR
> Sent: Thursday, November 23, 2006 12:41 PM
> To: outlook-users@yahoogroups.com
> Subject: Re: Contact problem
>
> I ran scan.pst and couldn't find scandisk.exe on my
machine.
> Let me try to explain my problem better, because I am
not looking to
> recover data, but input it in Outlook.
>
> When I create a contact and wish to make comments in
the note area on
> the bottom and click "save" it saves all the
information above, but as
> it is saving the entry to comments become highlighted
and disappear.
> When I open the contact all the pertinent data about
the contact is
> there, but the comment/note is gone.
>
> If anyone can come up with a solution I would be
greatful.
>
> Bob Taylor, Licensed Private Detective - New Jersey
License # 5993
> 400-8 Cranbury Road, East Brunswick, NJ  08816
> Voice: 732-238-4400 Fax: 732-210-0235
> Mailto:bobtaylornjsleuth.com
> Web Site: <http://www.njsleuth.com/
>
> Proud member www.missingkin.com
>
> 



------------------------------------------------------------
--------
Unsubscribe: 
mailto:outlook-users-unsubscribe@yahoogroups.com
 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://g
roups.yahoo.com/group/outlook-users/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http
://groups.yahoo.com/group/outlook-users/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:outlook-users-digest@yahoogroups.com 
    mailto:outlook-users-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    outlook-users-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.c
om/info/terms/