CLOUDSTACK-9369 Fixed Ldap regression#2009
Conversation
|
@rhtyd Can you review the fix? |
| } | ||
| final UserAccount userAccount = _accountService.getActiveUserAccount(username[0], domainId); | ||
| if (userAccount == null || !(User.Source.UNKNOWN.equals(userAccount.getSource()) || User.Source.LDAP.equals(userAccount.getSource()))) { | ||
| if (userAccount != null && User.Source.SAML2 == userAccount.getSource()) { |
There was a problem hiding this comment.
Why do we need to remove the check userAccount == null? Comparision against Source.SAML2 is fine as long as there are no other user sources other than LDAP, SAML2 and UNKNOWN. (UNKNOWN should be NATIVE though)
There was a problem hiding this comment.
in case of LDAP, account will be created if it doesnt already exist.
https://cwiki.apache.org/confluence/display/CLOUDSTACK/LDAP%3A+Trust+AD+and+Auto+Import
There was a problem hiding this comment.
Thanks, let's keep this. We can revisit if we've more user type for which this may cause a security issue.
|
@karuturi done, can you check Travis failure; push -f or close/reopen the PR to kick it again? |
|
I am seeing the same Travis timeout on all the PRs. Will force push again |
|
ping @rhtyd |
|
We installed your jar file 4.9.2 with the changes and test the login. all thing work correctly. |
|
LGTM. |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos6 ✔centos7 ✔debian. JID-652 |
Ldap auto creation of accounts is broken due to the security fix for CLOUDSTACK-9369. There was an explicit check to not allow login incase the user doesnt exist. removed the same.
4 participants
Ldap auto creation of accounts is broken due to the security fix for
CLOUDSTACK-9369.
There was an explicit check to not allow login incase the
user doesnt exist. removed the same.