Description of problem: LDAP: If an existing ldap user also a member of a ldap group which is mapped to a rhq role is deleted, is again recreated in ldap and is not associated to any group in ldap, previous role permissions are applied to user. The user should be logged in to rhq as a guest. Version-Release number of selected component (if applicable): 3.0.0-SNAPSHOT How reproducible: Steps to Reproduce: 1. Create a user in ldap. (Ex: user1) 2. Make the user member of any ldap group. (Ex: Testgroup) 3. Login to rhq as rhqadmin and assign a role (Ex: ALL Resources Role) to the ldap group (Testgroup). 4. Login to rhq as the user created. (Ex: user1) 5. Delete the user in ldap. 6. Try to login to rhq with the deleted user (user1). 7. Recreate the user in ldap. 8. Do not associate the recreated ldap user to any ldap group. 9. Login to rhq as the recreated user. (user1) 10. Check the role permissions apllied. Actual results: Role permissions applied to user after login are same as previously assigned role. (ALL Resources Role) Expected results: User should be logged in to rhq as guest as user is not a member of any ldap group. Additional info:
It looks like we're not refreshing the users group list on login. The use case here would be of a user who goes from being an Admin to a regular User. They shouldn't maintain their old permissions.
Reproduced the described behavior. Problem: The rhq group runtime account membership was not being synchronized with the ldap group information. Added conditional check to ldaploginmodule to refresh the membership information on login. Commit hash: git 80e3403ada9b0b215715dc3d6ff15d9c016fd451 Additional information: -Ldap group authorization happens in addition to successful ldap authentication if both the 'groupfilter' and the 'groupmember' fields are set. -Group Search Filter should be in the form of name=value Ex. 'objectclass=groupOfUniqueNames' with whatever group specific query is valid for the ldap server being used, and should return all the ldap groups that should be available for ldap mapping. -Group Member Filter should be of form Ex. 'uniqueMember' with whatever group specific filter is valid for the ldap server being used. -At runtime the groupfilter and groupmember values are combined with the uid expression for the user being authenticated into a runtime check that the current user exists in the specified groups : Ex.(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=testuser1,ou=People,dc=test, dc=com))
Available in master build >= 230.
*** Bug 577817 has been marked as a duplicate of this bug. ***
Verified on jon build# 108 (Revision: 10611) If an existing ldap user also a member of a ldap group which is mapped to a rhq role is deleted, is again recreated in ldap and is not associated to any group in ldap. After login to rhq it is observed that the previous role permissions are not applied to user and user logs in as a guest which is as expected.
Mass-closure of verified bugs against JON.