When copying template user, ensure Template user is disabled and new user is enabled #1097
Comments
|
Yea, this is a good thing. We'll fix this in the 1.2 branch though. |
cigamit
added a commit
that referenced
this issue
Nov 23, 2017
Template user issues including: - All template users should be disabled by default - When a user is copied, enable that user by default
|
Resolved. Thanks. |
netniV
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This is similar to issue #433 but slightly expanded.
If you create a user, set a password, login and make it work as you desire with permissions, graphs etc. You then set this user as a template, for example against an LDAP domain. Unless you leave the templated user able to login, the cloned user is unable to login as he gets accessed denied.
Standard security practice should be to set the template so it can't login once it is being used as a template. This should be done by either, checking if the user is a set as a template or setting it as disabled and automatically enabled a newly created user.
The pros for automatically enabling the user means anyone who is in a group with access via LDAP can creating their own account. However, on the flip side, it means exactly the same so if there is a user you may not have wanted to have instant access without knowing about it, they will unfortunately.
The pros for making any templated user disabled from logging in means that the enabled flag propagates to a newly created user. The cons are that it means you have to create a new test user or delete the existing one from the cacti list, every time you want to test template changes.
For example if I have a different group template named Template for each customer to specifically allow only access to that customers graph tree, then all those users have access via the Local domain.
The text was updated successfully, but these errors were encountered: