Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-4640

LDAP memberships are being replaced instead of being added or deleted

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide

      Add or delete a user's role in the admin UI and trace in Wireshark.

      Show
      Add or delete a user's role in the admin UI and trace in Wireshark.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      When assigning a role to a user or deleting it in the admin UI, this should trigger an LDAP modify request with a single add or delete operation for the user's DN only.

      However, the current implementation in LDAPUtils.addMember(..) and LDAPUtils.deleteMember(..) triggers a replace operation on the member attribute that replaces the whole group memberships.

      Apart from being highly dangerous, the replace operation fails on groups that contain more users than the maximum page size on our LDAP server.

      Interestingly, if a group exceeds the maximum page size, the modify request contains two replace operations: One for the page_size-1 users, and a second one for the user to be added.
      This request fails on my test role, but we had situations that role memberships suddenly disappeared on our LDAP server. I'm not sure if this was the reason, but I can imagine that the second replace might have replaced all the other memberships.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  sldab Slawomir Dabek
                • Votes:
                  2 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: