• Type: Bug
• Resolution: Unresolved
• Priority: Medium
• Fix Version/s: None
• Affects Version/s: 2.4.8
• Component/s: Directory - LDAP
• Labels:

  • cwd-cleanup-1

[CWD-3138] Removing a User from an LDAP Read/Write Directory does not remove the group memberships for that user

Collapse comment: Diego Berrueta added a comment - 28/Aug/2014 4:35 AM

Diego Berrueta added a comment - 28/Aug/2014 4:35 AM

Do any LDAP directories actually maintain referential integrity? AD? ... obviously OpenLDAP does not!

That's exactly my concern. LDAP admins may be surprised if Crowd implements "delete on cascade" on LDAP dirs.

Expand comment: Diego Berrueta added a comment - 28/Aug/2014 4:35 AM

Diego Berrueta added a comment - 28/Aug/2014 4:35 AM Do any LDAP directories actually maintain referential integrity? AD? ... obviously OpenLDAP does not! That's exactly my concern. LDAP admins may be surprised if Crowd implements "delete on cascade" on LDAP dirs.

Collapse comment: Justin Koke added a comment - 28/Aug/2014 3:06 AM

Justin Koke added a comment - 28/Aug/2014 3:06 AM

Do any LDAP directories actually maintain referential integrity? AD? ... obviously OpenLDAP does not!

But seriously ... providing an option is the 'easy way out' ... just make a decision. If you delete a group, you delete the memberships for the group. You delete a user, you delete the memberships for that user. This aligns with how the internal directory works, and really I think the 99% case with people using LDAP directly is '&%$ why didn't LDAP remove the memberships for the user I just deleted!'.

Expand comment: Justin Koke added a comment - 28/Aug/2014 3:06 AM

Justin Koke added a comment - 28/Aug/2014 3:06 AM Do any LDAP directories actually maintain referential integrity? AD? ... obviously OpenLDAP does not! But seriously ... providing an option is the 'easy way out' ... just make a decision. If you delete a group, you delete the memberships for the group. You delete a user, you delete the memberships for that user. This aligns with how the internal directory works, and really I think the 99% case with people using LDAP directly is '& % $ why didn't LDAP remove the memberships for the user I just deleted!'.

Collapse comment: Diego Berrueta added a comment - 17/Feb/2013 11:48 PM, Edited by Diego Berrueta - 18/Feb/2013 10:50 AM

Diego Berrueta added a comment - 17/Feb/2013 11:48 PM - edited

It seems reasonable that removing a user or a group should propagate the deletion in cascade. It may be dangerous to leave orphaned memberships that may reappear if later on a user or a group is created with the same name.

At the same time, Crowd should not surprise sysadmins used to low-level LDAP tools that do not propagate deletions. Also importantly, all directory types should behave consistently.

There are several approaches to this fix, including:

• Adding a "propagate deletions on cascade" checkbox to the directory settings.
• Refusing to delete a user until all references have been removed.
• Unconditionally deleting all references on cascade, possibly giving some feedback to the user.

Expand comment: Diego Berrueta added a comment - 17/Feb/2013 11:48 PM, Edited by Diego Berrueta - 18/Feb/2013 10:50 AM

Diego Berrueta added a comment - 17/Feb/2013 11:48 PM - edited It seems reasonable that removing a user or a group should propagate the deletion in cascade. It may be dangerous to leave orphaned memberships that may reappear if later on a user or a group is created with the same name. At the same time, Crowd should not surprise sysadmins used to low-level LDAP tools that do not propagate deletions. Also importantly, all directory types should behave consistently. There are several approaches to this fix, including: Adding a "propagate deletions on cascade" checkbox to the directory settings. Refusing to delete a user until all references have been removed. Unconditionally deleting all references on cascade, possibly giving some feedback to the user.