Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-19821

APS ldap sync failure corruption of admin user if userIdAttribureName resolves to null


    • Bug Priority:
      Category 1
    • ACT Numbers:

      00967877, 00967564, 00978531



      The ldap/ad sync configuration fails to prevent corrupting the existing database users if the ldap.synchronization.userIdAttributeName resolves to a null value from the directory.

      The database IDM created users including the default admin@app.activiti.com user have 'externalId' = null

      If synchronization occurs where the userIAttribureName resolves to null, then it overwrites the admin user.

      This actually is a security issue as you could technically corrupt or take over the admin user in this manner.

      We did not notice this at first because, most ldap/ad has populated these attributes though they are not required and most use sAMAccount as the user id in sync configurations.

      Replication Steps

      • install activiti-app
      • use AD/Ldap where the user givenName is null
      • set the ldap.synchronization.userIdAttributeName to givenName
      • do sync
      • check the users table, the admin user has been overwritten and other users are not populating

      Expected Behavior

      • on sync if the userIdAttributeName is null, log error do not sync in that user

      Actual Behavior

      • on sync if the userIdAttributeName is null, it overwrites the default admin
      • if you have multiple database users and multiple users in ldap/ad resovling to null this is problematic since the database (IDM) created users all have 'externalId' = null

      Possible Fix

      • ./activiti-bpm-suite/blob/1.9.0-release/activiti-bpm-suite/activiti-app-logic/src/main/java/com/activiti/api/idm/AbstractExternalIdmSourceSyncService.java

      class lines ~489+ handler method add catch check for null values for the attributes returned from AD/LDAP not just or the externalId in the database...if attribute is null from AD/LDAP log issue and do not sync in user

      protected User handleUser(final ExternalIdmUser externalSrcUser, final Long tenantId, final BufferedWriter syncLogWriter) {
      		try {
      			String originalSrc = externalSrcUser.getOriginalSrcId();
      			String userId = externalSrcUser.getId(); // For users we use the id, cause that is what we use for logging in. For groups this does not apply
      		    String email = externalSrcUser.getEmail();
      		    String firstName = externalSrcUser.getFirstName();
      		    String lastName = externalSrcUser.getLastName();
      		    String password = externalSrcUser.getPassword();
      		    User user = userService.findUserByExternalId(userId);
                  if (user != null) {
                      // User exists already in database
                      if (user.getLastSyncTimeStampEpoch() == null 
                              || !user.getLastSyncTimeStampEpoch().equals(externalSrcUser.getLastModifiedTimeStamp().getTime())) {
                          user = userService.save(user);
                          if (password != null) {
                              userService.changePassword(user.getId(), password);
                          writeToSyncLog(syncLogWriter, LOG_TYPE_USER_UPDATED + userId + " properties were changed.");


          Issue Links




                • Assignee:
                  djohnson Doug Johnson
                  jsoria Jennie Soria
                • Votes:
                  2 Vote for this issue
                  8 Start watching this issue


                  • Created:

                    Structure Helper Panel