Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Low
Fix Version/s: None
Affects Version/s: 7.0.0
Component/s: User Management - LDAP Integration
Labels:
- affects-server

Introduced in Version:
7
Support reference count:
23
Symptom Severity:
Severity 3 - Minor
UIS:
2
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Summary

If JIRA is configured to synch with a LDAP engine that does not have a unique ID attribute, upon synchronisation it will clobber users, causing session hijacking.

Steps to Reproduce

Connect JIRA to an LDAP engine.
Ensure there are multiple users in the LDAP that have the same User Unique ID Attribute.
Synchronise the user directories.
Login as one user.

Expected Results

The synchronisation does not pass successfully and the admin is notified that there is a problem with the external user directory.

Actual Results

Users can become 'hijacked', as the app_user.user_key will change unexpectedly and different users will become other users that share the same unique ID. This can also cause some users to be orphaned and some sessions to log out.

Workaround

The LDAP engine should not be configured to have a 'user unique ID attribute' that is not unique. This is documented in RFC 2307.

Notes

This was reproduced with a Jumpcloud LDAP integration.

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:: Unassigned

Reporter:: Dave C

Votes:: 2 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 01/Dec/2015 11:34 PM

Updated:: 05/Apr/2024 2:27 AM