Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-127940

Inactive LDAP user can log in following attribute mappings change


    • Bug
    • Status: Open
    • Resolution: Unresolved
    • Master
    • None
    • None


      Reproduction steps:

      1. Assert there is no configure mapping for "Status" on the LDAP Server connection
      2. Login with an inactive LDAP user
      3. Configure an appropriate mapping for Status attribute (LDAP does not have a standarized attribute to describe activation status, see tip below)
      4. Login again

       Expected outcome: User is unable to login because the LDAP user is deactivated
       Actual outcome: User is able to login because the modifiedDate timestamps of the portal user & LDAP entry match, so the newly mapped LDAP "status" attribute is not imported

      Note: The effect only lasts for the login at step 4. Any subsequent login attempts will fail because the act of simply logging in will update the portal user's modifiedDate timestamp.

       Tip: To make it easier to create an "inactive" LDAP user, you can use an existing LDAP attribute such as roomNumber in the mapping. This attribute is available in the Person scehma which all portal users have by default. You will need to use a LDAP client (try JXplorer) to update the attribute with the value 5 which portal interprets as "deactivated".


        Issue Links



              support-lep@liferay.com SE Support
              stian.sigvartsen Stian Sigvartsen
              Kiyoshi Lee Kiyoshi Lee
              0 Vote for this issue
              1 Start watching this issue


                2 years, 16 weeks, 1 day ago


                  Version Package