#335 HTTP session authenticates LDAP for every table cell

[Robert Havlásek]

Hello, everyone, first, thanks for whole project, MRBS is great.

I use MRBS 1.5.0 (newly upgraded) with LDAP authentication (web server in linux, LDAP server in Win2013SR2).
It seems MRBS works for me as described in http://sourceforge.net/p/mrbs/bugs/238/ , every cell calls authValidateUser() and asks LDAP server for credentials (searches whole subtree of $ldap_base_dn's).
So area with 18 rooms and 20 time slots take cca 20 seconds per every refresh :-(
((Situation viewed by Wireshark on LDAP server.))

I see, that in session_http.inc is written some patch (probably by Campbell Morrison):
if ((isset($authorised_user) && ($authorised_user == $user)) || ...
that looks great, I understand the idea, but I'm affraid it doesn't work for me :-(

Any suggestions?
Thanks a lot...
Robert

[Campbell Morrison]

Which version of MRBS have you just upgraded from?

[Robert Havlásek]

From MRBS 1.4.9+svn.
(But I've had this version configured with authentication via IMAP to
GMail, which was a little bit uncomfortable to manage.
About 14 days ago, Google doesn't let user to authenticate -- instead
of this Google sends mail to user about "denying
less secure app to access to IMAP", linking to
https://support.google.com/accounts/answer/6010255?hl=en -- so it
couldn't be used :-( But it's another topic, not about LDAP's calling
authValidateUser())
Thanks,
Robert

2015-11-03 16:51 GMT+01:00 Campbell Morrison cimorrison@users.sf.net:

Which version of MRBS have you just upgraded from?

---

[bugs:#335] HTTP session authenticates LDAP for every table cell

Status: open
Group: Future_Requests
Labels: MRBS LDAP authentication
Created: Tue Nov 03, 2015 03:32 PM UTC by Robert Havlásek
Last Updated: Tue Nov 03, 2015 03:32 PM UTC
Owner: nobody

Hello, everyone, first, thanks for whole project, MRBS is great.

I use MRBS 1.5.0 (newly upgraded) with LDAP authentication (web server in
linux, LDAP server in Win2013SR2).
It seems MRBS works for me as described in
http://sourceforge.net/p/mrbs/bugs/238/ , every cell calls
authValidateUser() and asks LDAP server for credentials (searches whole
subtree of $ldap_base_dn's).
So area with 18 rooms and 20 time slots take cca 20 seconds per every
refresh :-(
((Situation viewed by Wireshark on LDAP server.))

I see, that in session_http.inc is written some patch (probably by Campbell
Morrison):
if ((isset($authorised_user) && ($authorised_user == $user)) || ...
that looks great, I understand the idea, but I'm affraid it doesn't work for
me :-(

Any suggestions?
Thanks a lot...
Robert

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/mrbs/bugs/335/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[Anonymous]

From MRBS 1.4.9+svn.
(But I've had this version configured with authentication via IMAP to
GMail, which was a little bit uncomfortable to manage.
About 14 days ago, Google doesn't let user to authenticate -- instead
of this Google sends mail to user about "denying
less secure app to access to IMAP", linking to
https://support.google.com/accounts/answer/6010255?hl=en -- so it
couldn't be used :-( But it's another topic, not about LDAP's calling
authValidateUser())
Thanks,
Robert

[Robert Havlásek]

sorry, not looged in... so, once more :-)

From MRBS 1.4.9+svn.
(But I've had this version configured with authentication via IMAP to
GMail, which was a little bit uncomfortable to manage.
About 14 days ago, Google doesn't let user to authenticate -- instead
of this Google sends mail to user about "denying
less secure app to access to IMAP", linking to
https://support.google.com/accounts/answer/6010255?hl=en -- so it
couldn't be used :-( But it's another topic, not about LDAP's calling
authValidateUser())
Thanks,
Robert

[Campbell Morrison]

Mmmm. I'm puzzled. I haven't got an LDAP server to test it, but I've tried to simulate it by using the 'db' authentication scheme and putting a sleep(1) in authValidateUser(). However I'm only getting one call to authValidateUser() per page.

[Robert Havlásek]

Good idea, putting sleep(1) into authValidateUser(). As a try, I putted sleep(30) in it too. Found, that it was really ran once per page (I was authenticated just once time).
Found too, that multiple LDAP requests are also sent, when nobody is logged-in (in anonymous mode).
Somewhere in MRBS-scripts has to be another calling of multiple LDAP bindRequests, searchRequests and unbindRequests, which makes viewing complete page (day.php) unusable :-(
Viewing view_entry.php also calls bindRequests+searchRequests+unbindRequests 4 times (which is not complication, runs fast, just by the way)...
Is it possible, that some inner routine asks for credentials of every record's owner?

P. S. Sorry for making puzzled :-)

[Campbell Morrison]

I think the problem is that authGetUserLevel() is getting called multiple times. authGetUserLevel() is called by auth_book_admin() which is called by getWritable() which is called once per cell.

I'll try and work out a fix

[Campbell Morrison]

Yes, authGetUserLevel() is the culprit. I put a sleep(1) in there and my page takes ages to load. There's probably a quick fix of caching user levels, but I don't think that's the correct answer. The problem will occur whenever you have a slow authentication method - for example using 'db_ext' with a remote database over a slow network, or even using 'db' when the database is slow or on a remote server.

I'll have a look tomorrow at a proper fix.

[Robert Havlásek]

Aaaaha, thanks a lot...
Caching userlevel should be enough...
Are we talking about userlevel of currently logged in user or userlevel of record's (cell's) owner?

[Campbell Morrison]

Here's a quick patch to get you going (I hope). Replace the function auth_book_admin() in mrbs_auth.inc with

function auth_book_admin($user, $room)
{
  static $is_book_admin = array();

  if (!isset($is_book_admin[$user]))
  {
    $is_book_admin[$user] = (authGetUserLevel($user) >= 2);
  }

  return $is_book_admin[$user];
}

I'll have a look tomorrow at a better fix.

[Robert Havlásek]

I've just applied to my installation of MRBS.
Works much better, many thanks!
Robert

[Campbell Morrison]

I think it's going to better to cache the results in authGetUserrLevel(), rather than in auth_book_admin() - the reason being that auth_book_admin() also takes a room parameter. Could you therefore try the attached version of auth_ldap.inc and revert the change to auth_book_admin? auth_book_admin() should now look like this:

function auth_book_admin($user, $room)
{
  return (authGetUserLevel($user) >= 2);
}

[Robert Havlásek]

I've just reverted auth_book_admin and applied attached auth_ldap.inc (with caching).
I confirm, that yesterdays version (patched auth_book_admin) asked LDAP bindRequests+searchRequests+unbindRequests as many times as was count of displayed rooms in that moment.
Todays version (patched authGetUserrLevel) asks LDAP bindRequests+searchRequests+unbindRequests twice (per each DN), which is great!
Thanks a lot!
Robert

[Campbell Morrison]

Thanks for the feedback. I've now committed the change in changeset d7da8202a300. The change will appear in the next release. In the meantime anybody else with the same problem should be able to use the auth_ldap.inc file above.