Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-1663

[GSS][7.2.z] LDAP group names containing "/" in the name violates SIBILING_NAME constraint in db

    XMLWordPrintable

Details

    • Critical
    • Critical
    • Hide
      • Create a LDAP group name containing a "/" , like "Team of 2016/2017"
      • Associate 2 users ('a' and 'b') to this group
      • Search for user 'a' at Keycloak admin screen: the user loads correctly and the group is created on DB
      • Search for user 'b' at Keycloak admin screen: the user loads but clicking at "Groups" tabs yields exceptions at the server log.
      Show
      Create a LDAP group name containing a "/" , like "Team of 2016/2017" Associate 2 users ('a' and 'b') to this group Search for user 'a' at Keycloak admin screen: the user loads correctly and the group is created on DB Search for user 'b' at Keycloak admin screen: the user loads but clicking at "Groups" tabs yields exceptions at the server log.

    Description

      If a LDAP/AD group name contains a "/" in the name, using RHSSO 7.0 (Kecloak 1.9.x) it will create a new group entry in the database each time a user with this group is loaded; using RHSSO 7.1 (Keycloak 2.5.x) it logs an exception due to constraint SIBLING_NAMES on group table.
      After some investigation seems it is related to method KeycloakModelUtils.findGroupByPath as it splits the group hierarchy path by "/" . If the group has a "/" in the name it treats it as a top level + group name, and not as a single group name.
      Ldap groups with a forward slash in the group name create a ConstraintViolationException

      Attachments

        Activity

          People

            psilva@redhat.com Pedro Igor Craveiro
            rhn-support-mavassil Maria Vassileva
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: