[gatein-issues] [JBoss JIRA] Resolved: (GTNPORTAL-1926) DB and LDAP in read-only: user attributes are saved only to DB but they are still read from LDAP
[
https://issues.jboss.org/browse/GTNPORTAL-1926?page=com.atlassian.jira.pl...
]
Boleslaw Dawidowicz resolved GTNPORTAL-1926.
--------------------------------------------
Resolution: Won't Fix
I was thinking a lot on this and if it makes sense to introduce some kind of configurable
strategies... Problem is that LDAP by nature should be treated as the store with more
priority and in readOnly config it is the master source of user profile.
Having DB taking precedence for profile info is problematic - like what happens if you
remove one of fields? What if information is updated in both DB and LDAP to different
value? There is currently no mechanism to detect such conflicts.
I guess we should go with our general guidance that when LDAP is used portal organization
management tools shouldn't be used to manage its content.
Ideally user management port let should be configured to mark some fields as readOnly but
there is no such feature in it at the moment.
DB and LDAP in read-only: user attributes are saved only to DB but
they are still read from LDAP
------------------------------------------------------------------------------------------------
Key: GTNPORTAL-1926
URL: https://issues.jboss.org/browse/GTNPORTAL-1926
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Identity integration
Affects Versions: 3.1.0-GA
Environment: - EPP 5.1.1.DEV01 with latest exo.portal.component.identity from
GateIn trunk
- Picketlink 1.3.0.Alpha03
- LDAP configured with read-only setup (picketlink-idm-ldap-acme-config.xml from
"example" folder used as configuration file)
Reporter: Marek Posolda
Assignee: Boleslaw Dawidowicz
Fix For: 3.2.0-M02
I have LDAP configured as read-only (Parameter "readOnly" with value
"true" is configured as option in configuration of "PortalRepository"
in picketlink configuration file picketlink-idm-ldap-acme-config.xml )
And then I am doing this in EPP UI:
1) Login as "mposolda" with password
2) Click to my name in right top corner
3) Change my first name and last name to "Marekkk Poosoldaaaa".
4) Click "Save" and I have message that attributes are changed successfully
5) Logout
6) Login again as mposolda
7) I am seeing that I am still "Marek Posolda"
Problem is that attributes are written to DB in method
FallbackIdentityStoreImpl.updateAttributes (which is correct) but then they are read from
LDAP in FallbackIdentityStoreImpl.getAttributes and DB attributes are simply ignored .
This is confusing for users, because they may have feeling that their attributes are
updated but they aren't)
I think that one of these two conditions should be met:
a) Show warning in step 4 that user can't change LDAP attributes (like FirstName,
Lastname or Email)
b) Don't show warning but in this case, attributes from DB should have preference
over attributes from LDAP.
It will be nice if this can be configurable and administrator can choose between option
(a) or (b)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira