LDAP Should Honor the DN Authority, Also Avoid Nonexistent Users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
2.3 |
Fix Released
|
Medium
|
Unassigned | ||
2.4 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Descriptions stolen from the commits (there are two):
Commit #1:
The existing version of LDAP_Auth.pm assumed that the user's bind DN could be derived from the base DN, the ID attribute, and the user's ID. This is frequently the case, but not always, particularly in Active Directory setups using sAMAccountName. This commit instead uses the initial LDAP lookup as the authority for determining the user's DN.
Commit #2:
The current AuthProxy.pm code assumes that if the external auth passes, the Evergreen account will be there. This protects against cases where a user is in the external auth system but has no matching account in Evergreen.
While these are only somewhat unrelated, the number or users who might actually test this are small enough that I would hope they could be tested and committed together.
Branch at:
working/
Changed in evergreen: | |
assignee: | nobody → Bill Erickson (erickson-esilibrary) |
status: | New → Confirmed |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
assignee: | Bill Erickson (erickson-esilibrary) → nobody |
Tested with Active Directory / sAMAccountName and it solved my problem. Thanks, Dan! Pushed to 2.3+