Type: Service Pack Request
Status: Open (View Workflow)
Affects Version/s: Alfresco Process Services 1.8, Alfresco Process Services 1.9
Fix Version/s: Alfresco Process Services .N
Component/s: APS Identify Manager
Environment:AD, APS 1.8, 1.9
00967877, 00967564, 00978531
The ldap/ad sync configuration fails to prevent corrupting the existing database users if the ldap.synchronization.userIdAttributeName resolves to a null value from the directory.
The database IDM created users including the default firstname.lastname@example.org user have 'externalId' = null
If synchronization occurs where the userIAttribureName resolves to null, then it overwrites the admin user.
This actually is a security issue as you could technically corrupt or take over the admin user in this manner.
We did not notice this at first because, most ldap/ad has populated these attributes though they are not required and most use sAMAccount as the user id in sync configurations.
- install activiti-app
- use AD/Ldap where the user givenName is null
- set the ldap.synchronization.userIdAttributeName to givenName
- do sync
- check the users table, the admin user has been overwritten and other users are not populating
- on sync if the userIdAttributeName is null, log error do not sync in that user
- on sync if the userIdAttributeName is null, it overwrites the default admin
- if you have multiple database users and multiple users in ldap/ad resovling to null this is problematic since the database (IDM) created users all have 'externalId' = null
class lines ~489+ handler method add catch check for null values for the attributes returned from AD/LDAP not just or the externalId in the database...if attribute is null from AD/LDAP log issue and do not sync in user