Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-5442

LdapIdentityProvider.isMyRef considers local users as 'mine'

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • auth-ldap
    • None

    Description

      While working on OAK-5210 I noticed the implementation of LdapIdentityProvider.isMyRef:

      private boolean isMyRef(@Nonnull ExternalIdentityRef ref) {
        final String refProviderName = ref.getProviderName();
        return refProviderName == null || refProviderName.isEmpty() || getName().equals(refProviderName);
    }

      If I am not mistaken this means that the LDAP IdentityProvider may consider users that don't have an IDP name contained in their ExternalIdentityRef such as e.g. local users/groups to be accounts that are managed by it. I didn't carefully verify where and how this private method is used today but to me that looks like a bug that may potentially create bigger consistency issues.

      Attachments

        Activity

          People

            Unassigned Unassigned
            angela Angela Schreiber
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated: