You are here: Foswiki>Tasks Web>Components>LdapContrib>Item14418 (30 Aug 2017, MichaelDaum)Edit Attach

Item14418: Local groups not checked correctly

pencil
Priority: Urgent
Current State: Closed
Released In: n/a
Target Release:
Applies To: Extension
Component: LdapContrib
Branches: master
Reported By: CrawfordCurrie
Waiting For: MichaelDaum
Last Change By: MichaelDaum
When local groups backoff is enabled, in LdapUserMapping::userExists, it checks that the $cUID backs off to a user but does not check if that user is a group. This can result in a non-user being identified as existing.

Scenario, 
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
%USERINFO("Main.AdminUser" format="$wikiname"}%
expands to main.adminuser

In this case "Main.AdminUser" is not a valid wikiname (as per the definition, which doesn't allow the Main. part). However it is a valid user as per the TopicUserMapping, which is the superclass of LdapUserMapping, because it's stupid and only checks for topic existence after normalisation.

When LdapUserMapping::userExists is called, it rightly cannot map the user to an LDAP user, but because groups backoff is enabled, it asks the superclass if that user exists to test if it is a local group. The TopicUserMapping checks for that topic, which exists, so userExists succeeds.

A solution is to test that the name really is a group. Note there's also a fix here for backoff when testing isGroup - it really should use the superclass 
index 49c2235..1eee5cb 100644
--- a/lib/Foswiki/Users/LdapUserMapping.pm
+++ b/lib/Foswiki/Users/LdapUserMapping.pm
@@ -253,7 +253,7 @@ sub userExists {
   if ($this->{ldap}{nativeGroupsBackoff} && ! $this->{session}->inContext("_user_exists")) {
     # prevent deep recursion
     $this->{session}->enterContext("_user_exists");
-    $result = $this->SUPER::userExists($cUID);
+    $result = $this->isGroup($loginName);
     $this->{session}->leaveContext("_user_exists");
   }
 
@@ -458,7 +458,7 @@ sub isGroup {
 
   # backoff if it does not know
   if (!defined($isGroup) && $this->{ldap}{nativeGroupsBackoff}) {
-    $isGroup = ($wikiName =~ /Group$/);
+    $isGroup = $this->SUPER::isGroup($user);
   }
 
   return $isGroup;

-- CrawfordCurrie - 08 Jun 2017

Please check in your two lines.

-- MichaelDaum - 09 Jun 2017

OK, done.

-- Main.CrawfordCurrie - 13 Jun 2017 - 17:15
 

ItemTemplate edit

Summary Local groups not checked correctly
ReportedBy CrawfordCurrie
Codebase
SVN Range
AppliesTo Extension
Component LdapContrib
Priority Urgent
CurrentState Closed
WaitingFor MichaelDaum
Checkins LdapContrib:c87f5092406e
ReleasedIn n/a
CheckinsOnBranches master
trunkCheckins
masterCheckins LdapContrib:c87f5092406e
ItemBranchCheckins
Release02x01Checkins
Release02x00Checkins
Release01x01Checkins
Edit  | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 30 Aug 2017, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy