[MGNLLDAP-49] Pass on email and other user properties from LDAP record to Magnolia Created: 03/Jan/11  Updated: 15/Dec/11  Resolved: 09/Jun/11

Status: Closed
Project: LDAP Connector
Component/s: None
Affects Version/s: None
Fix Version/s: 1.4.3

Type: Improvement Priority: Neutral
Reporter: Magnolia International Assignee: Philipp Bärfuss
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File MGNLLDAP-49-2.patch     Text File MGNLLDAP-49.patch    
Issue Links:
dependency
is depended upon by MAGNOLIA-3733 ExternalUser could implement getProperty Closed
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)

 Description   

While the LDAP module currently reads out all properties from a user's record (info.magnolia.jaas.sp.ldap.LDAPAuthenticationModule#extractAttributes), those properties are not passed on in the User instance in Magnolia. As far as I can tell, this is because of

  • info.magnolia.jaas.sp.ldap.LDAPAuthenticationModule#setEntity does not copy those properties to the Entity object. There might be security concerns about passing all attributes around, so we should at least extract this operation into an overridable method.
  • info.magnolia.cms.security.ExternalUser#getProperty systematically throws an UnsupportedOperationException, whereas it could at least check the properties of the current Entity object it wraps. I am not sure if there are any (historical?) reasons for this.

While this is entirely and easily fixable within the current framework, it sounds like one more reason to move away from jaas, or at least move to a LoginModule that completely delegates to Magnolia, following which we'd have a ldap-specific UserManager implementation. And/or a LDAPUser implementation.



 Comments   
Comment by Magnolia International [ 04/Jan/11 ]

Simple patches - also implies a change in core's ExternalUser class.

To be considered before applying the patch: why do we pass the user's password in the user's object ? Since these objects might be persisted in sessions, this is a potential security problem. (the patch comments out the line of code that passes it, and that has apparently no unwanted side-effect)

edit: the password needs to be kept around for activation to work.

Comment by Magnolia International [ 09/Jun/11 ]

Patch for core's ExternalUser: see MAGNOLIA-3733

Generated at Mon Feb 12 02:21:05 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.