LDAP user cleanup doesn't disable/delete users with empty DN

xwikisas / application-activedirectory

Provides the UI to set up LDAP for Active Directory

GNU Lesser General Public License v2.1

1 stars 2 forks source link

LDAP user cleanup doesn't disable/delete users with empty DN #95

Closed michitux closed 7 months ago

michitux commented 7 months ago

Steps to reproduce:

Edit a user profile with the object editor and change the UID to a non-existing UID and delete the DN.
Run the LDAP user cleanup.

Expected result:

The user is deleted/deactivated.

Actual result:

The user isn't deleted as the extension searches for the empty string as DN, which returns a non-empty result with supported values for certain parameters (at least on Active Directory).

trrenty commented 7 months ago

If the user has an empty dn, the profile will be deleted/disabled.

michitux commented 7 months ago

If the user has an empty dn, the profile will be deleted/disabled.

That's wrong. Users with empty DN can log in just fine, the authenticator falls back to the UID in this case in all places, see, e.g. this for checking group membership. This is an important feature for users migrated from other sources like Confluence where we're unable to compute the DN and just know the UID.

michitux commented 7 months ago

To make this more clear hopefully: What I expect to happen is that when the DN is empty (you can use StringUtils.isBlank(..) for this check, btw.), the LDAP user cleanup falls back on searching for the UID. This didn't happen before because the LDAP server returned something when searching for an empty DN and thus the fallback wasn't triggered.