fix(LDAP): unblock a cached id from a deleted user or group

[blizzz]

Summary

As of 155b750 we cache the user id and LDAP DN for a month, because they are highly requested, but rarely change and we have a working repair mechanism.

But if an LDAP user is deleted, the information is still cached. So a user that is being regenerated with the same target user ID will get a _xxxx suffix, when the data is still in local cache.

The error case can be reproduced:

1. memcache.local is set to ACPu
2. Log in and out with an LDAP user: 88ce7e0d-cd84-46ab-99c9-d49c1b2aba48
3. occ user:info 88ce7e0d-cd84-46ab-99c9-d49c1b2aba48 shows info about that user
4. Locally delete that user: occ ldap:reset-user 88ce7e0d-cd84-46ab-99c9-d49c1b2aba48
5. Log in with that user again
6. occ user:info 88ce7e0d-cd84-46ab-99c9-d49c1b2aba48 shows that the user does not exist
7. When you look into oc_ldap_user_mapping, you will find a mapping with a _1234 suffix.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

[blizzz]

/backport to stable32

[come-nc]

Suggested change

	$dude = $this->ncUserManager->get($intName);
	$dude->getBackendClassName() === 'LDAP';

left-over?

[blizzz]

oops 🙂 yes

[come-nc]

I do not understand the getNameByDN part of the comment.
I do not see what prevents collisions with this PR.
If I set username to a non-unique LDAP attribute, with this PR I will run into trouble no?

Would be way cleaner to either clear on ignore the cache in this code path.

[blizzz]

Yeah, this is the problem, it relies on certain behavior inside the Mappings class. More later.

If I set username to a non-unique LDAP attribute, with this PR I will run into trouble no?

No, I don't see why you would.

Would be way cleaner to either clear on ignore the cache in this code path.

I don't want to clear the whole cache, this is pointless for an edge case while the mechanism as a whole is quite effective!

The memcache uses the uid as key (we don't have it) and is not really searchable. So without making the structure bigger and more redundant, which should be avoided, we can make the mapper more complicated:

• remember all DNs that do not resolve in a name (runtime only)
• if we encounter a cache hit involving such a DN, reset the cache entry and discard the value

What I don't like about this approach is that cache logic and mechanism are spread along the mapping. But it is better than the current approach, which relies on certain behaviour in different classes (this gives me the stomach aches tbh).

The good thing is that wrong values don't hurt, they'll be repaired (as long as the cached DN is not-existing that is).

[come-nc]

If I set username to a non-unique LDAP attribute, with this PR I will run into trouble no?

No, I don't see why you would.

To me it looks like this change defeats the collision detection mechanism.
If a user already exists with the same uid, it will happily return it even if it’s not the same one. Or did I miss where there is a check that the existing user and the new one are the same?

[blizzz]

Not that still works:

Also works through web interface (with memcache in action).

Reason is that mapAndAnnounceIfApplicable() will return false due to database constraints (cf. AbstractMapping::map()).

[blizzz]

Nevertheless, would still tend to move it into the mapping. I don't like the reliance on inner workings of other modules, as stated in #56292 (comment).