New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make email's uniqueness enforcement by oxTrust optional #1371

Closed
aliaksander-samuseu opened this Issue Nov 28, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@aliaksander-samuseu

aliaksander-samuseu commented Nov 28, 2018

We have a [legacy] limitation enforced by oxTrust, not allowing "mail" attribute to be duplicated. Afaicr, this was added to handle a similar limitation present in OpenLDAP package (at least, by default). This wasn't the case in times of 2.x where "mail" was allowed to not be unique.

For the 3.1.4 package, uniqueness of this attributes is enforced on 2 levels, it seems: by oxTrust itself, and by "Unique mail address" plugin of OpenDJ which is enabled by default. The later can be easily disabled, while the former cannot be circumvented atm.

This may not appeal to some users which may need some of their user entries to contain duplicated email addresses. Providing a settings controlling this behaviour changeable through "JSON configuration" could be one quick solution.

@aliaksander-samuseu

This comment has been minimized.

aliaksander-samuseu commented Nov 28, 2018

@yurem @syntrydy

As I'm not sure why we keep enforcing this (as it seems "Unique mail address" plugin wasn't there in 3.1.2 yet, I must conclude it was added later on purpose, even though we'd get rid of OpenLDAP at that point already), I'm not proposing completely removing this limitation. But this also may worth considering.

@aliaksander-samuseu

This comment has been minimized.

aliaksander-samuseu commented Nov 29, 2018

@yurem @syntrydy
From the recent discussion it's now clear we may need to maintain this uniqueness to prevent issues with password reset feature (i.e. if several user entries with the same email exists, which one needs its password to be reset?) It still may create issue for users which don't rely on local user management, but need some user entries have duplicated emails on them.

We could make it so that by disabling password reset feature it also would stop controlling email uniqueness, but this rises a question how to handle situation when it's enabled later again - and there are already existing duplicated emails in LDAP db. A few ideas:

  1. During password reset, if such situation is encountered, reset flow should fail, and user is notified they must to resolve it manually by updating email, or removing conflicting entries.
  2. We could maintain a separate control for mail uniqueness feature, on which password reset feature would be dependent. If uniqueness isn't enforced, you can't enable the password reset. But if password reset isn't enabled, you still can keep email uniqueness enforced, to prevent user from creating entries which will create conflicts after it's enabled once more (still won't prevent oxAuth's scripts from creating such entries; that's where that OpenDJ's plugin comes into play)

syntrydy added a commit that referenced this issue Nov 30, 2018

Merge pull request #1375 from /issues/1371
Make email's uniqueness enforcement by oxTrust optional #1371

@syntrydy syntrydy closed this Nov 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment