Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-47583

Integrating with LDAP causes session hijacking when the user unique ID attribute is not unique



      If JIRA is configured to synch with a LDAP engine that does not have a unique ID attribute, upon synchronisation it will clobber users, causing session hijacking.

      Steps to Reproduce

      1. Connect JIRA to an LDAP engine.
      2. Ensure there are multiple users in the LDAP that have the same User Unique ID Attribute.
      3. Synchronise the user directories.
      4. Login as one user.

      Expected Results

      The synchronisation does not pass successfully and the admin is notified that there is a problem with the external user directory.

      Actual Results

      Users can become 'hijacked', as the app_user.user_key will change unexpectedly and different users will become other users that share the same unique ID. This can also cause some users to be orphaned and some sessions to log out.


      The LDAP engine should not be configured to have a 'user unique ID attribute' that is not unique. This is documented in RFC 2307.


      This was reproduced with a Jumpcloud LDAP integration.

            Unassigned Unassigned
            dcurrie@atlassian.com Dave C
            2 Vote for this issue
            4 Start watching this issue