Details
-
Story
-
Status: Closed
-
Major
-
Resolution: Fixed
-
rel-4-1-2
-
Security Level: Users (General product issues)
-
21
-
UNDECIDED
-
Green Sprint 94, Green Sprint 95, Green Sprint 96
-
2016032110000264
Description
With the new Server configuration GUI, users cannot login with the LDAP credentials if there is not related clover account created in the Server. Therefore, a new Clover account has to be manually created before the user can login. Before that, users that had an account in LDAP were able to login to the Server (which created the Clover account for them).
We have turned this off in order to prevent logins of unauthorized LDAP users (if no group is defined - basically anyone who has an account in LDAP can login).
I believe we should handle this differently - we should enable users to login even if they have only LDAP account. There are basically two options we need to take into consideration:
- If there are LDAP groups defined, we can easily determine the permissions based on the groups the user is assigned to. Of course we assume the group permission are manually defined as this cannot be automated.
- If there are no LDAP groups defined, we might need something like defaultSecurityGroup property that would handle the initial login. In some companies, they might want to get all user (defined by security.ldap.user_search.base) have already some permissions - since they using proper configuration they can even target a specific node in the LDAP tree that contains only those users that should have access to CloverETL Server.
- For SAML login, use defaulSecurityGroup, mapping to SAML groups may be implemented later
Attachments
Issue Links
There are no Sub-Tasks for this issue.