Regarding the first issue, the SOGo web interface works exactly as expected. This only affects CardDav and CalDav clients.
On Feb 11, 2014, at 10:56 AM, Laz C. Peterson <[email protected]> wrote: > Hello everyone, > > I sent these in a while ago, but it seems the problems will most definitely > carry through to the next stable release of SOGo. > > This first issue presents a serious security risk. With two users in > separate domains that have the same UID, authentication works okay, but > sometimes (not always) SOGo pulls and applies the LDAP email address from the > wrong domain. This affects calendar as well as mail functions. I have not > tested the contacts yet. In this case, mail seems to not load, as the IMAP > server still needs to authenticate the user with the proper credentials, > however, the calendar DOES load pulls the calendar from the wrong user! In > my environment, I am not using bindAsCurrentUser. > > The second issue, as noticed by a user back many years ago > (https://lists.inverse.ca/sogo/arc/users/2010-08/msg00243.html), deals with > the most appropriate cache cleanup interval being far too much time for LDAP > passwords to be changed. I feel it is relatively awkward to tell a user that > it may take up to 5 minutes for them to be able to log back into SOGo, > especially since the email and LDAP servers are both already authenticating > with the new password. Any suggestion on how I can separate the LDAP > password cache from the rest of the cache? Am I the only user having this > problem? This is the case both for OpenLDAP and Active Directory password > changes. Or quite possibly, clearing the user's password cache when the user > clicks “Change” on the Password preferences tab. > > Any suggestions? > > Thank you again. > ~Laz Peterson -- [email protected] https://inverse.ca/sogo/lists
