[CAUSEWAY-2157] Secman: Non-existing User gets created in DB even though not authenticated via LDAP - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.0.0-M3
Component/s: None
Labels:
None

Description

When using Secman with delegated authentication to LDAP, any login attempt authenticated or not will create an (disabled) user-account in the DB.

While not a security risk, this allows attackers to 'fill' the database with arbitrary garbage.

Desired behavior for this scenario is to auto-create user accounts in the DB only if these do successfully authenticate with the delegated authentication mechanism.

Attachments

Activity

People

Assignee:: Andi Huber

Reporter:: Andi Huber

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 02/Aug/19 07:06

Updated:: 25/Jan/23 10:34

Resolved:: 02/Aug/19 08:48