Subsonic Forum

[pdcrom]

Hi,

I'm using openldap to authenticate the subsonic users; version 4.6 on linux.

I'm using the following filter: (&(uid={0})(memberof=cn=subsonic,ou=groups,dc=mydomain,dc=net))
Adding new users, and adding them to the group works fine, they can login to subsonic without any problem.
But when I remove a user from the LDAP group subsonic, they can still login?!

When executing
ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=<username>)" -b dc=mydomain,dc=net memberOf

it no longer shows the 'memberof' attribute, as it should.

They only way to fix it is to restart the subsonic service, and after that the user is no longer able to login.

Is subsonic caching the login information in any way? Why should I restart the service?

Thanks, Paul.

[spookybathtub]

It seems the subsonic server must be caching login information. Here are some related symptoms of this:

• If the LDAP server goes offline, users can still login.
• If I change the LDAP password or URL in subsonic settings, users can still login.
• Subsonic logs LDAP activity the first time a user logs in. But subsequent LDAP logins are not logged.

Number one in that list might be a benefit in some situations, but this caching could also be a security flaw. Without documentation, we don't know what format the passwords are stored in, or where. We need an option to disable this caching. This is now the only thing holding me back from using subsonic at my university.

[sir2u]

I think caching is a good idea, but the defaults are a little ridiculous. You can edit the ehcache.xml file to adjust this. On a Tomcat installation, the file is located at /var/lib/tomcat6/webapps/subsonic/WEB-INF/classes/ehcache.xml.

Edit the following stanza (Don't use these values though. This is is just an example):

<cache name="userCache"
maxElementsInMemory="500"
eternal="false"
timeToIdleSeconds="60"
timeToLiveSeconds="60"
overflowToDisk="false"/>

Maybe set the times to 1 hour intervals or whatever makes sense to you.

Do me a favor and please post the defaults. I edited my file and forgot to save the original one.

[spookybathtub]

Thanks for the link. I attached the original xml file.
The default configuration shows that login information is stored in memory, and not cached to disk, so that eases my worry from a security standpoint. However, I noticed some unusual behavior regarding the userCache. The log file shows 3 successful logins in rapid succession, repeated every double of the value I entered. So if I type 5 seconds, it happens every 10. If I type 10 seconds, it happens every 20. Here is an example, with userCache timeToIdleSeconds and timeToLiveSeconds both 10. This happens forever, as long as I'm logged into the web interface. From this, I infer two things:

• The values entered in the xml file are being doubled.
• The web client sends three login requests instead of one

When I listen using iSub, the logs are as I would expect. There is a single successful login each time a new song is played/cached, only if at least 10 seconds have elapsed since the last login.
I don't want my logs to be cluttered with this, so I think I will just set timeToLive to an hour. But I hope someone looks into this bug in the future.

Code: Select all

[2012-04-27 14:18:02,150] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:18:02,261] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:18:02,262] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:18:22,167] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:18:22,168] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:18:22,171] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:18:42,508] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:18:42,509] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:18:42,511] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:19:02,196] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:19:02,198] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP
[2012-04-27 14:19:02,199] INFO SubsonicLdapBindAuthenticator - User 'testuser' successfully authenticated in LDAP

[sir2u]

I've noticed the same behavior. Unfortunately, I don't see any way around it when people use the web client which is why I recommended a longer time interval.

I think the default values should be adjusted to something more reasonable, but this was a good exercise in finding and adjusting those values. So between all our conversations, hopefully now you have 1. LDAPS authentication 2. login audits 3. reasonable login caching. The only OTHER thing I would recommend is https since these logins are tied to real user accounts for other services.

[spookybathtub]

Yes, absolutely. SSL was the first thing I got going, and I wrote up a tutorial here because it's not exactly well documented: viewtopic.php?t=9400. The only thing left is to finish ripping 6000 CDs.