Hello everyone, I sent these in a while ago, but it seems the problems will most definitely carry through to the next stable release of SOGo.
This first issue presents a serious security risk. With two users in separate domains that have the same UID, authentication works okay, but sometimes (not always) SOGo pulls and applies the LDAP email address from the wrong domain. This affects calendar as well as mail functions. I have not tested the contacts yet. In this case, mail seems to not load, as the IMAP server still needs to authenticate the user with the proper credentials, however, the calendar DOES load pulls the calendar from the wrong user! In my environment, I am not using bindAsCurrentUser. The second issue, as noticed by a user back many years ago (https://lists.inverse.ca/sogo/arc/users/2010-08/msg00243.html), deals with the most appropriate cache cleanup interval being far too much time for LDAP passwords to be changed. I feel it is relatively awkward to tell a user that it may take up to 5 minutes for them to be able to log back into SOGo, especially since the email and LDAP servers are both already authenticating with the new password. Any suggestion on how I can separate the LDAP password cache from the rest of the cache? Am I the only user having this problem? This is the case both for OpenLDAP and Active Directory password changes. Or quite possibly, clearing the user's password cache when the user clicks “Change” on the Password preferences tab. Any suggestions? Thank you again. ~Laz Peterson-- [email protected] https://inverse.ca/sogo/lists
