Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-12325

LDAP group collation inconsistency between API and UI import, can fail LDAP sync

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: 4.11.1, 5.0.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Sprint:
      Pam - Quality 7

      Description

      Summary:

      The REST API for creating a group (https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API#ArtifactoryRESTAPI-CreateorReplaceGroup), allows groups to be created with upper casing, contrary to the import process for LDAP Groups (available under the LDAP Group setting menu).
      Should an LDAP group be created with even partial up-casing using the REST API, it will not sync to LDAP.

      E.g.: An LDAP group named 'userGroup' (on the LDAP side) will be imported as 'usergroup' in the UI, since we convert it to lower casing. However, there is no restriction to create a group (with the correct realm and attribute) using the REST API with upper casing.

      Reproduction (OpenLDAP was used):

      1. Set up an LDAP schema and create an upper case group, 'userGroup' and configure the LDAP server on Artifactory.
      2. Search for the group and observe it is being imported as 'usergroup'.
      3. Use the attached JSON (ldapetestgroupUppercase.json) and following command to create a 'userGroup':

      curl -uadmin:password -T ldapetestgroupUppercase.json -H "application/vnd.org.jfrog.artifactory.security.Group+json" localhost:8081/artifactory/api/security/groups/testGroup

      4. Observe the group is created with the upper casing 'testGroup'. (See screenshot 2 - "REST API created upper case group.ping")

      5. The group will not be sync with LDAP - you can try logging in with a group membering user and validate he is not added to the LDAP group in Artifactory.

      • Changing the Group name on LDAP side to 'userGroup' will not affect the sync (it will not sync).
      • Probably related to RTFACT-12301 (it's resolution could trigger the resolution of this JIRA).
      • Debug log for the login and sync attempt is attached (debug_log.txt).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                andreik Andrei Komarov
                Reporter:
                andreik Andrei Komarov
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: