Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
While working on OAK-5210 I noticed the implementation of LdapIdentityProvider.isMyRef:
private boolean isMyRef(@Nonnull ExternalIdentityRef ref) { final String refProviderName = ref.getProviderName(); return refProviderName == null || refProviderName.isEmpty() || getName().equals(refProviderName); }
If I am not mistaken this means that the LDAP IdentityProvider may consider users that don't have an IDP name contained in their ExternalIdentityRef such as e.g. local users/groups to be accounts that are managed by it. I didn't carefully verify where and how this private method is used today but to me that looks like a bug that may potentially create bigger consistency issues.