Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-2723

Group Name attribute change behavior in Delegated Authentication Directory

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Low Low
    • None
    • 2.3.4
    • None
    • None

      Description

      When there is a Group Name Attribute change in Delegated Authentication Directory, instead of updating an existing group's name to use the new attribute, Crowd creates another group with that alternate Group Name (So there will be some sort of a duplicate group).

      How to Reproduce

      1. Create a user, with cn=UserA in LDAP.
      2. Create a group, with cn=GroupA, description=GroupAcopy, member=cn=UserA in LDAP
      3. Set up a Delegated Auth Directory in Crowd Console >> Directories >> Add Directory to sync Group memberships, and assign the Group Name Attribute to cn.
      4. Login as UserA into Crowd, which will automatically create the group, GroupA in Crowd as well.
      5. Update the Group Name Attribute in the Delegated Auth Directory Configuration in Crowd to description, this time.
      6. Login as UserA again

      Notice that there will be another group called GroupAcopy created in Crowd, with the old group, GroupA still there (2 groups instead of 1). Expected behavior would be that Crowd will update GroupA to GroupAcopy (since it's a name attribute change).

            [CWD-2723] Group Name attribute change behavior in Delegated Authentication Directory

            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 - restricted [ 1510930 ] New: JAC Bug Workflow v3 [ 3365757 ]
            Owen made changes -
            Symptom Severity Original: Minor [ 14432 ] New: Severity 3 - Minor [ 15832 ]
            Lukasz Pater made changes -
            Resolution New: Duplicate [ 3 ]
            Status Original: Open [ 1 ] New: Closed [ 6 ]
            Lukasz Pater made changes -
            Link New: This issue duplicates CWD-1599 [ CWD-1599 ]
            jonah (Inactive) made changes -
            Symptom Severity New: Minor [ 14432 ]
            Owen made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 [ 1392410 ] New: Simplified Crowd Development Workflow v2 - restricted [ 1510930 ]
            Owen made changes -
            Workflow Original: Crowd Development Workflow v2 [ 356637 ] New: Simplified Crowd Development Workflow v2 [ 1392410 ]

            Since our group names change frequently, we need this feature to be implemented. Any update on this?

            Thanks

            Tansu Kahyaoglu added a comment - Since our group names change frequently, we need this feature to be implemented. Any update on this? Thanks

            This will also happen if the group name's AD attribute value is being changed. (e.g. from displayName="Employes" to "Employees").

            Thinking about affected use cases:

            • In Confluence you'll find two groups. The user may not know which one is correct.
            • In Confluence assigned group restrictions/permissions will point to the old group. New members of the new group won't gain access automatically
            • Deleting the old groups manually in Crowd would invalidate the (formerly set) permissions and restrictions in Confluence

            Crowd could store the DN of each group (to identify that group within the AD) and update the attributes once they get changed within the AD.

            Stephan Haslinger added a comment - This will also happen if the group name's AD attribute value is being changed. (e.g. from displayName="Employes" to "Employees"). Thinking about affected use cases: In Confluence you'll find two groups. The user may not know which one is correct. In Confluence assigned group restrictions/permissions will point to the old group. New members of the new group won't gain access automatically Deleting the old groups manually in Crowd would invalidate the (formerly set) permissions and restrictions in Confluence Crowd could store the DN of each group (to identify that group within the AD) and update the attributes once they get changed within the AD.
            Foo Sim (Inactive) created issue -

              Unassigned Unassigned
              fsim Foo Sim (Inactive)
              Affected customers:
              3 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: