You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is similar to issue #433 but slightly expanded.
If you create a user, set a password, login and make it work as you desire with permissions, graphs etc. You then set this user as a template, for example against an LDAP domain. Unless you leave the templated user able to login, the cloned user is unable to login as he gets accessed denied.
Standard security practice should be to set the template so it can't login once it is being used as a template. This should be done by either, checking if the user is a set as a template or setting it as disabled and automatically enabled a newly created user.
The pros for automatically enabling the user means anyone who is in a group with access via LDAP can creating their own account. However, on the flip side, it means exactly the same so if there is a user you may not have wanted to have instant access without knowing about it, they will unfortunately.
The pros for making any templated user disabled from logging in means that the enabled flag propagates to a newly created user. The cons are that it means you have to create a new test user or delete the existing one from the cacti list, every time you want to test template changes.
For example if I have a different group template named Template for each customer to specifically allow only access to that customers graph tree, then all those users have access via the Local domain.
The text was updated successfully, but these errors were encountered: