Announcement Announcement Module
Collapse
No announcement yet.
LDAP: Cannot update a user alone in a groupOfNames based role Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP: Cannot update a user alone in a groupOfNames based role

    Hello,

    we are using Spring Security 2.0.6 with an LDAP backend.
    Roles are of objectClass 'groupOfNames' which apparently requires at least one 'member' attribute to be set.

    The problem is that when updating a user by calling LdapUserDetailsManager.updateUser(UserDetails user), all its authorities are removed before adding the new authority list:

    (lines 279 - 281 in LdapUserDetailsManager.java v2.0.6)
    // Remove the old authorities and replace them with the new one
    removeAuthorities(dn, authorities);
    addAuthorities(dn, user.getAuthorities());

    If a given role only has one user and this user is updated, then the update fails because of an LDAP error:

    javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - failed to modify entry cn=admin,ou=Roles,dc=example,dc=com: null]; remaining name 'cn=admin, ou=Roles'

    I would be surprised to be the first one to encounter this issue.
    Is there a workaround?
    Is there another objectClass that could be used?
    (groupOfUniqueNames seems to have the same problem)

    Thanks in advance for your help!

    Mathieu

  • #2
    I guess an obvious workaround would be to create a locked user account which nobody can use, but which is a member, so that none of your groups can end up empty.

    Comment


    • #3
      That's actually what I used to do anyhow at the application level with a "root" user.

      But I was now trying to develop an application without this root user.
      Since the LDAP is integrated with third-party apps, I find it a bit dangerous to have a dummy user which can basically do everything.

      Should I book a bug for that?

      Comment

      Working...
      X