Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-18664

LDAP users which linked to LDAP Groups configured as admin does not get admin privileges

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 6.8.0, 6.8.3
    • Fix Version/s: 6.9.0, 6.10.0, 6.8.4
    • Component/s: LDAP
    • Labels:
      None
    • Regression:
      Yes

      Description

      UPDATE: This will happen only in case the user is part of several external groups, and some of them are with admin permissions and some aren't
      UPDATE #2: This affects all external authentication providers, not only LDAP

      LDAP users linked to LDAP Groups configured as admin ("Admin Privileges" option is enabled in the group configuration) does not have admin privileges although these groups and users marked as "Admin" in Artifactory.

       

      Steps to reproduce:

      1. Install Artifactory latest version (currently 6.8.3)
      2. Install an LDAP server
      3. Create groups which aggregate user(s) in LDAP
      4. Configure Artifactory with LDAP
      5. Import LDAP groups
      6. Configure in Artifactory an LDAP group with admin privileges (enable "Admin Privileges" option in the groups configuration)
      7. Log in with an LDAP user which is a member of the group from #6
      8. notice the user does not have admin privileges (Admin Tab is grayed out)

       

      In addition, note that the above functionality works in previous versions (below 6.8.0), therefore the Admin privileges of LDAP users which linked to LDAP groups as described above will be lost by upgrading from version below 6.8.0 to versions 6.8.0 and above.

       

      Tested from version 5.8.9 to 6.8.2

      And from version 6.7.2 to 6.8.3

       

      Screenshots attached for reference:

      1. Two screenshots logged in as Artifactory internal Admin user to view the LDAP group and LDAP user permissions as presented in Artifactory.
      2. screenshot which shows the LDAP user logged in without admin privileges

       Workaround:
      As a workaround, you can update the user to be an 'admin' regardless of the groups he is member of. In order to do so:
      1. Get the user by running:

      $ curl -uadmin:password http://ARTIFACTORY_URL:8081/artifactory/api/security/users/<USERNAME>
      

      This is an example of the response:

      {
        "name" : "arielk",
        "email" : "larry.caiyu@gmail.com",
        "admin" : false,
        "profileUpdatable" : true,
        "internalPasswordDisabled" : true,
        "groups" : [ "readers", "testgroup", "testgroup5", "testgroup3", "testgroup4", "testgroup2" ],
        "lastLoggedIn" : "2019-03-04T15:58:22.936+02:00",
        "lastLoggedInMillis" : 0,
        "realm" : "ldap",
        "offlineMode" : false,
        "disableUIAccess" : false
      }
      

      2. Send a POST to update the user to be an admin by setting it to true, for example:

      curl -uadmin:password -XPOST "http://localhost:8081/artifactory/api/security/users/arielk" -H 'Content-Type: application/json' -d '{                                                                                                                         
        "name" : "arielk",
        "email" : "larry.caiyu@gmail.com",
        "admin" : true,
        "profileUpdatable" : true,
        "internalPasswordDisabled" : true,
        "groups" : [ "readers", "testgroup", "testgroup5", "testgroup3", "testgroup4", "testgroup2" ],
        "lastLoggedIn" : "2019-03-04T15:58:22.936+02:00",
        "lastLoggedInMillis" : 0,
        "realm" : "ldap",
        "offlineMode" : false,
        "disableUIAccess" : false
      }'
      

      See above that the "admin" is set to "true"

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                uriahl Uriah Levy
                Reporter:
                kfira Kfir Avraham
                Assigned QA:
                Alex Dvorkin
              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: