Subsonic Forum

[Tanner Williamson]

I just got LDAP authentication working. When a user logs into subsonic with the correct Active Directory credentials, they are created in Subsonic and allowed to login.

I decided to test a few things out, just to see how well it was working.

-Able to login with first-time user with Active Directory credentials. Then logged out.
-Went into Active Directory, disabled the account.
-I was *still* able to login as the test user, even thought the account was disabled.
-I went into Active Directory, re-enabled the account, and changed the test user password.
-I was *still* able to login as the test user, even thought the password was changed.
-I deleted the user account completely in Active Directory.
-I was *still* able to login as the test user, even thought the account was deleted.

I ended up having to manually delete the user from Subsonic as well, in addition to my maintenance in active directory. I'm guessing that the account credentials are cached in Subsonic, and not actually being authenticated against the Active Directory server every time. Does this cache ever expire, if so, how often?

Can anyone else who has LDAP authentication enabled, test out these scenarios and comment on what they see? I want to see if this behavior is isolated to my install, or can be seen in other user's installs.

[gurutech]

You may be able to delete the user from Subsonic using the following URL (modify to fit your system) :

http://your-server/rest/deleteUser.view ... ertodelete

[lovebags]

I've been running Subsonic on LDAP for about 3 years and yes that sounds about right with how it behaves. I tend to do a clean install with upgraded software every 6-12 months so it clears out unregistered users anyway.

[Tanner Williamson]

You may be able to delete the user from Subsonic using the following URL (modify to fit your system) :

http://your-server/rest/deleteUser.view ... ertodelete

I appreciate the response. The problem isn't that I can't delete users in Subsonic. I can do this, and don't mind doing that. The issue, is that with subsonic being set to do active directory authentication, it only ever seems to have to authenticate once the first time. Then, it stores their password locally. After that, if the user's password is changed in the directory, Subsonic does not update it, nor does it check for the updated password. The user can login to subsonic with the old password. And, if the user account is disabled in the directory, blocking login... subsonic still lets the user login.

It's just disappointing that the Subsonic active directory integration, does not check or obey current settings from the directory, after it's initial account authentication and creation.

[lovebags]

Actually on second testing, if a user password is changed in our LDAP system then you have to use that new password, the old one doesn't work. So maybe there is something else related to the way the LDAP system works.

[Tanner Williamson]

Is that an immediate effect @lovebags? How long after you change their credentials in Active Directory, does your subsonic installation begin accepting the new credentials over the old credentials? Is it instant, or within 2, 4, 8 hrs, etc?

[daneren2005]

It might only be checked during the nightly scan

Sent from my HTC One X using Tapatalk 2

[sir2u]

Check step 13 on this tutorial I made a while ago: http://forum.subsonic.org/forum/viewtopic.php?f=6&t=9426. It might point you in the right direction.

[lovebags]

Is that an immediate effect @lovebags? How long after you change their credentials in Active Directory, does your subsonic installation begin accepting the new credentials over the old credentials? Is it instant, or within 2, 4, 8 hrs, etc?

Not exactly sure but since we have to change our passwords every so often I'll try and remember to check Subsonic as soon as its done to test.

[Tanner Williamson]

So apparently the users are cached within Subsonic, and the TTL is setup to retain the cache for 48 hours by default. That means even if you deleted the user in active directory, or disabled them, they would still be able to use subsonic potentially for an additional 48 hours when they last logged in before their account status was changed. It is possible to change this setting, but not through the Web GUI.

You can modify the cache TTL to a much lower value than 48 hours, but you will need to locate and edit an XML file on the file system which defines this. You will need to search the file system for ehcache.xml

As of Subsonic 4.9, when installed on Ubuntu, this is located at

Code: Select all

/var/subsonic/jetty/3853/webapp/WEB-INF/classes/ehcache.xml

You can also search the file system to find the file with this command:

Code: Select all

find / -name ehcache.xml

Once you've found your file, open it with an editor and find the section that looks like this:

Code: Select all

cache name="userCache"
        maxElementsInMemory="1000"
        eternal="false"
        timeToIdleSeconds="172800"
        timeToLiveSeconds="172800"

And change the 172800 (48 hours or 60 seconds * 60 minutes * 24 hours * 2 days) to another value in seconds. For one hour, you'd use 3600 (60 seconds * 60 minutes = 3600). I want my system to update fast so I'm using a TTL of just 300 seconds or 5 minutes. Save your edit and then issue a reboot to make sure subsonic reloads the config and applies the new settings.