Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
5.8.10, 5.8.16, 5.9.4
-
4
-
Severity 3 - Minor
-
Description
Summary
Even though "Use the User Membership Attribute" has been ticked, Users' Group Members Attribute are pulled and copied to Confluence when users logged in to Confluence.
This resulted in deletion of group membership every synchronization as Confluence re-writes the group membership based on the groups' User Membership Attribute
Steps to Reproduce
- Have LDAP where users' group memberships are using Group Members Attribute (for example, UniqueMember). See the following sample Group LDIF:
- Set Confluence to connect with this LDAP. make sure that the Use the User Membership Attribute is ticked
- Test connection to Confluence.
- Notice that the connection succeeded
- Notice that membership test would usually fail
- Users are copied to Confluence.
- Check their user details. they do not have any group membership
- Login to Confluence as this user.
Expected Results
Users are not able to log in to Confluence, as the user does not have a User Membership Attribute and therefore, does not belong to any group
Actual Results
- Users are able to log in,
- The groups based on the Group Members Attribute are copied to Confluence
However, this presents an issue as Upon LDAP synchronization, the group membership are deleted and rewritten, since the Confluence checks on the User Membership Attribute every time it synchronize to LDAP.
This will result in users losing their group membership and having the "Not Permitted" page every time synchronization occurs, while they are still logged in.