Koozali.org: home of the SME Server
Obsolete Releases => SME 8.x Contribs => Topic started by: nicolatiana on February 28, 2014, 12:11:17 PM
-
Sme 8 with pydio 5.2.2-1.el5.fws + smeserver-pydio 0.2.9-1.el5.fws. - Acces via Firefox 27 or IE 11, both on Windows 8/64 and Firefox 27 on Centos 5.9/64
When I log out, instead being redirected to the main login page, I go back to the previously logged in pages where I can still access files.
Nicola
-
That's expected, Pydio uses a basic HTTP auth which cannot close a session (closing the browser will terminate the session). What you can do is to redirect users to any page you want when they click on disconnect:
db configuration setprop pydio LogoutUrl http://sme.domain.tld/disconnected.html
signal-event webapps-update
Regards, Daniel
-
Now testing for a production environment, I'm not able to have the logout url redirection working.
This is my db configuration:
[root@sme8-pdc ~]# db configuration show pydio
pydio=webapp
DbName=pydio
DbPassword=q4xlDF051RX1jt4Sa9+lmh4ugReETRkHwkixeOVOYNN+2ustT2JwLrrS2iAvEabLHnW0HrVnQJL9
DbUser=pydio
LogoutUrl=https://www.google.it
access=private
status=enabled
Nicola
-
if something doesn't work as expected out-of-the-box, please raise a bug :-)
-
Maybe it's only a db variable to be configured in some way . . . .
Nicola
-
Nicola, Daniel told you that setting LogoutUrl and invoking webapps-update event should do the trick.. if it doesn't, something isn't working properly..
usuallly I call it "bug", hence -> bugzilla..
TIA
-
That's expected, Pydio uses a basic HTTP auth which cannot close a session (closing the browser will terminate the session). What you can do is to redirect users to any page you want when they click on disconnect:
However, when you do that, and they then go back to the pydio URL, they will still be able to access files. As you say, with http basic authentication, the only way to remove the login credentials from the browser is to close the browser.
Perhaps someone should converty smeserver-pydio to use ticket based authentication, as used in server-manager.
-
That's expected, Pydio uses a basic HTTP auth which cannot close a session (closing the browser will terminate the session). What you can do is to redirect users to any page you want when they click on disconnect...
Does it make any sense to have a 'disconnect' button on something using Basic auth?
-
It makes sens in some situations: for example, I'm using LemonLDAP::NG to protect my web apps, including Pydio. It's a cookie based SSO solution but emulate basic auth from the app POV. It can catch any URL and redirect users where I want. I'm using this feature to catch the classic logout link of every protected app and redirect them to the main portal. On a standard SME, as it's using pure basic auth, it doesn't make a lot of sense, but removing it would require patching Pydio itself, which I'd rather avoid
-
Hi,
This is quite an old thread so I am hoping that there was a fix for this issue.
I am trying to set up my first SME Server. I have the same problems that are described in this thread. It looks like the users weren't given any assistance.
The problem:
user1 accesses smeserver/pydio for their shared directories, however they cannot log out. When user2 on a different machine tries to access Pydio they are actually shown the same screen that user1 cannot log out from!
Obviously this is quite a serious security issue and renders the server unusable for file and directory sharing.
Can anyone point me in the right direction for a solution?
Thanks,
Peter
smeserver 9.1
-
The problem:
user1 accesses smeserver/pydio for their shared directories, however they cannot log out. When user2 on a different machine tries to access Pydio they are actually shown the same screen that user1 cannot log out from!
Absolutely not (or this would indeed be a big security concern). The session is linked to the browser. There's no way you can get the previous session on a different machine. When using basic auth, there's only one way to end the session: close the browser. The disconnect button which doesn't work was just redirecting the user to an arbitrary page. It had no security purpose.
-
Hi Daniel,
Thanks for the speedy reply.
I will check my testing and try again but I am sure that is what I saw. I am using Virtualbox for my test server and using different Vmachines and browsers to test.
You mention basic authentication being an issue. Does this mean we can use a better form of authentication that ensures a users can log out terminates the session and prevents the problem?
Thanks
Peter
-
You mention basic authentication being an issue. Does this mean we can use a better form of authentication that ensures a users can log out terminates the session and prevents the problem?
I don't consider this as an issue, it's the way it works. It's not a problem as long as you are aware of it. There are other ways to auth (against LDAP for example), but it's a lot harder to configure, because you'll have to do it by hand
-
Daniel,
With all due respect. That is your opinion.
The introduction states: 'Koozali SME Server is a complete, secure, stable and versatile'
If smeserver is designed for business use, security should be the first priority.
I think smeserver is a great solution with a strong community. I would like to believe I can get around this problem.
The majority of file sharing solutions would not be in business very long if they took the same view.
What do the other members say?
best wishes,
Peter
-
The introduction states: 'Koozali SME Server is a complete, secure, stable and versatile'
If smeserver is designed for business use, security should be the first priority.
And security is a top priority for me. I just don't consider basic auth a security issue, as long as you are aware that you must close your browser to end the session.
-
I should add that if security is a concern to you, you should close your browser when you're done using it, not matter which auth mechanism is used.
-
I should add that if security is a concern to you, you should close your browser when you're done using it, not matter which auth mechanism is used.
Just an idea as workaround: can we think to link the PYDIO close/logout button to a Security-Warning box offering to shutdown the browser ?
-
You could use the LogoutURL for this. Unfortunately, LogoutURL doesn't work anymore. I need to check if the bug still exists in Pydio 6 branch
-
The introduction states: 'Koozali SME Server is a complete, secure, stable and versatile'
If smeserver is designed for business use, security should be the first priority.
pydio is not part of SME server.
-
Would it be possible to configure Pydio to use SME Server's LDAP instead of basic authentication? I had a go at it, and I could get it to recognise a username, but couldn't actually login with it.
LemonLDAP-NG isn't really ideal for my situation - client doesn't have a wildcard SSL certificate, so I don't want to use virtualhosts and subdomains, just access it as domain.com/pydio.
Also, is the desktop/mobile app supported? I tried the desktop app and got "Server not found (404), is it up and has it Pydio installed?"
I'm happy to spend more time fiddling with it (I'm relatively experienced with SME Server), but won't bother if there's any reason why it's not possible.
-
you should use let's encrypt to get a free wildcard certificate.
I think the desktop app is only supported by the v6 version of pydio. An update of the contribs would be necessary, but need some work to adapt it to SME to use its user db.
As Daniel, Charlie and I use most of our spare time for SME 10 , we would be happy to assist somebody to do the migration process to pydio 6 and then make an rpm of it, but we do not have the time to do all the process.
I can however confirm that the ios and android apps work with pydio v5 currently available on SME.
-
Thanks Jean-Philippe. I hadn't seen Let's Encrypt before, I'll check it out.
I'll have a go at installing v6 and see how I go.
-
you should use let's encrypt to get a free wildcard certificate.
Let's Encrypt doesn't do wildcard certs, but they'll put as many hostnames as you want (up to 100) on a single cert. See the wiki at https://wiki.contribs.org/Letsencrypt for instructions; I think that letsencrypt.sh is a better path for SME than using the official client at this point.
-
I've installed v6.0.7 in an iBay and appear to have most of the functionality working (although I haven't thoroughly tested it yet).
I mostly followed the instructions at https://wiki.contribs.org/Pydio with a few minor changes:
PHPBaseDir=/home/e-smith/files/ibays/<pydio_ibay>/:/tmp/:/etc/ (I had to do this to get the ldap authentication working properly - not sure if there's a better way)
I entered the ibay options individually (copying and pasting from that page didn't work)
Then I setup Pydio to use LDAP:
LDAP URL: localhost
Protocol: Standard (ldap)
LDAP Port: 389
People DN: ou=Users,dc=clientdomain,dc=com
LDAP Server Page Size: 500
LDAP Filter: objectClass=person
Groups DN: ou=Groups,dc=clientdomain,dc=com
LDAP Groups Filter: objectClass=posixGroup
Group Attribute: displayName
Fake Member From: memberUid
Fake MemberOf value of Member/MemberUID Attribute of Group: No (Use CN, not DN)
LDAP Attribute: memberOf
Mapping Type: Role Id
Now I can create a workspace using SMB as follows:
Host: localhost
URI: <share name>
Session Credentials: Yes
Recycle Bin Folder: Recycle Bin
alias: <share name>
I haven't got as far as creating the workspace automatically when signal-event share-create (etc) are called. Looks like I'd need to enter the data into ajxp_repo and ajxp_repo_options in the database, but I'm not sure how the uuid is generated.
It's been a decade since I've built an RPM, so I'm probably not going to be much help packaging this up for others, but I'll do what I can to help if someone else is able to.