Details
-
Bug
-
Resolution: Fixed
-
Medium
-
2.7.2
-
None
-
Severity 1 - Critical
-
Description
The Problem:
When Crowd is connected with AD and any modification is done to an LDAP user account via User Browser Menu, the attribute display_name on the LDAP is updated to a combination of the attributes first_name + last_name.
This issue does not happen if the display_name attribute on your LDAP is already set to first_name + last_name.
Example: If the attribute first_name is John and last_name is Doe but the display_name on LDAP is johnjohn, then the display_name attribute on the LDAP will be updated to John Doe.
Additional information:
If the account being used to perform the bind with the LDAP server doesn't have write permission, or if connected with the LDAP using Global Catalog port (only MSAD), the following error will be thrown:
Diagnosis:
The following query helps to identify users that can be potentially affected:
select concat(first_name, ' ', last_name) AS "First and Last Name", display_name from cwd_user where concat(first_name, ' ', last_name) != display_name;
Workaround:
- If the "Manage User Status Locally" option on your directory is enabled, and the operation that is being attempted is to disable the user, it can be done directly via database with the following SQL statement:
update cwd_user set active = 'F' where id = <user_id>;
Where <user_id> is the id of the user you're trying to disable.- If the "Manage User Status Locally" option on your directory is disabled, you can disable the user directly on the LDAP and sync Crowd with the LDAP again.
- Set the user's display_name to first_name + last_name on your LDAP.
Steps to reproduce
- Create a user with the details below:
Username: jdoe Email address: jdoe@example.com First name: John Last name: Doe Display name: johnjohn
- Set up a Crowd with LDAP
- Try to deactivate the user you've created
