[Owncloud] Heavy LDAP user search

[Dirk Kastens]

Am 21.09.2012 12:11, schrieb Arthur Schiwon:
> I think there is a misunderstanding. When you want to share a file and the list
> of shared users is supposed to be up to date, then every request will need to
> do a full scan. How else is the software (ownCloud) supposed to know the
> changes? Except your LDAP pushes a notification about it to ownCloud.
I think the main problem is, that owncloud only relies on its own 
database. It statically stores ldap user and group data in the tables 
oc_ldap_group_mapping, oc_ldap_group_members, and oc_ldap_user_mapping. 
And these tables are not up-to-date until you rescan the directoy.

This is a different approach compared to other software products. I 
configured, for example, a drupal cms and a system monitoring software 
with ldap authentication. The access rights to certain features are 
based upon ldap groups. But, in contrast to owncloud, the software 
queries the ldap server each time a user tries to access a certain 
feature. This way, the access rights are always up-to-date. As soon as I 
add a user to an ldap group, the access is granted. And as soon as I 
delete a user from a group the access is denied.

That means, as soon as an owncloud user tries to access a file that is 
shared upon the members of an ldap group, oc has to make a request to 
the ldap server to see if the user is a member of the group. It should 
be sufficient to query the group memberships at login time. So they are 
valid until the user logs out. If a user is deleted from a group, the 
next time he logs in the access to a share will be denied.

I don't know how complicated it is to be implemented, but as other 
software works that way, it should be possible.

Dirk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4827 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20120921/c89b82f4/attachment.bin>