Bug #7079
closedGroup UI allows invalid entry causing Identity ServiceFailure
0%
Description
When adding users to a Group in the MetacatUI -> My Profile -> Settings -> Groups web form, the form allows users to be added to the group that don't exist in the Accounts Registry. We need to validate the member DN prior to calling PUT /cn/v2/groups so an invalid entry doesn't get created by the CNIdentityLDAPImpl service.
Unfortunately, once a uniqueMember is is created in the group in LDAP, this causes the Accounts Registry service to throw a 500 ServiceFailure, so all other authenticated interactions with the CN fail, affecting all users. I'll add a ticket in the d1_identity_manager project to address this from the server side. See https://redmine.dataone.org/issues/7857
By removing the bogus uniqueMember entry in LDAP, the Accounts Registry service worked fine again.
Files
Updated by ben leinfelder over 7 years ago
Since this actually doesn't break the account service (now) do we really need to restrict group member? Say I want to make a group of Orcid accounts but not all the the people in my group have logged in to DataONE before. They won't be in our system but I don't see why I shouldn't be able to add them.
Updated by Lauren Walker over 7 years ago
Will adding an orcid to a group cause an error? I can see it being helpful to be able to create a group of ORCIDs whether or not they are in the LDAP registry
Updated by ben leinfelder over 7 years ago
No, it should not be a problem and is exactly the kind of scenario I was imagining.
Lauren Walker wrote:
Will adding an orcid to a group cause an error? I can see it being helpful to be able to create a group of ORCIDs whether or not they are in the LDAP registry
Updated by Lauren Walker over 7 years ago
So Chris, should the UI only allow:
- valid ORCIDs
- other usernames that are in the LDAP account registry
Anything else is rejected by the form.
Updated by ben leinfelder over 7 years ago
Why can't it allow anything that is a valid Subject format? Different MNs use lots of different identification systems. Sure, we try to have them use ORCIDs, but many don't. Maybe they will use DNs, but many don't... Point is we need to be as flexible as possible.
Updated by Lauren Walker over 7 years ago
- Status changed from New to Rejected
This was fixed in CCI 2.2.0, so the UI should allow users to enter any username since it won't cause an error
Updated by Chris Jones over 7 years ago
Agreed - it seems fine to let any Subject be added since (as Ben pointed out), the ServiceFailure bug on the CN was fixed.