[gatein-issues] [JBoss JIRA] Resolved: (GTNPORTAL-1926) DB and LDAP in read-only: user attributes are saved only to DB but they are still read from LDAP

[Boleslaw Dawidowicz (JIRA)]

     [ https://issues.jboss.org/browse/GTNPORTAL-1926?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Boleslaw Dawidowicz resolved GTNPORTAL-1926.
--------------------------------------------

    Resolution: Won't Fix


I was thinking a lot on this and if it makes sense to introduce some kind of configurable strategies... Problem is that LDAP by nature should be treated as the store with more priority and in readOnly config it is the master source of user profile.

Having DB taking precedence for profile info is problematic - like what happens if you remove one of fields? What if information is updated in both DB and LDAP to different value? There is currently no mechanism to detect such conflicts.

I guess we should go with our general guidance that when LDAP is used portal organization management tools shouldn't be used to manage its content. 

Ideally user management port let should be configured to mark some fields as readOnly but there is no such feature in it at the moment. 

> DB and LDAP in read-only: user attributes are saved only to DB but they are still read from LDAP
> ------------------------------------------------------------------------------------------------
>
>                 Key: GTNPORTAL-1926
>                 URL: https://issues.jboss.org/browse/GTNPORTAL-1926
>             Project: GateIn Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Identity integration
>    Affects Versions: 3.1.0-GA
>         Environment: - EPP 5.1.1.DEV01 with latest exo.portal.component.identity from GateIn trunk
> - Picketlink 1.3.0.Alpha03
> - LDAP configured with read-only setup (picketlink-idm-ldap-acme-config.xml from "example" folder used as configuration file)
>            Reporter: Marek Posolda
>            Assignee: Boleslaw Dawidowicz
>             Fix For: 3.2.0-M02
>
>
> I have LDAP configured as read-only (Parameter "readOnly" with value "true" is configured as option in configuration of "PortalRepository" in picketlink configuration file picketlink-idm-ldap-acme-config.xml )
> And then I am doing this in EPP UI:
> 1) Login as "mposolda" with password
> 2) Click to my name in right top corner
> 3) Change my first name and last name to "Marekkk Poosoldaaaa".
> 4) Click "Save" and I have message that attributes are changed successfully
> 5) Logout
> 6) Login again as mposolda
> 7) I am seeing that I am still "Marek Posolda"
> Problem is that attributes are written to DB in method FallbackIdentityStoreImpl.updateAttributes (which is correct) but then they are read from LDAP in FallbackIdentityStoreImpl.getAttributes and DB attributes are simply ignored . This is confusing for users, because they may have feeling that their attributes are updated but they aren't)
> I think that one of these two conditions should be met:
> a) Show warning in step 4 that user can't change LDAP attributes (like FirstName, Lastname or Email)
> b) Don't show warning but in this case, attributes from DB should have preference over attributes from LDAP.
> It will be nice if this can be configurable and administrator can choose between option (a) or (b)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira