You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 25, 2020. It is now read-only.
When using a master/slave (ldap/serial) setup ajaxplorer allows users to login even after they have been deleted from LDAP.
The users gets a local (= serial) account when he logs in once.
checkPassword() in plugins/auth.multi/class.multiAuthDriver.php checks both drivers so when logging in though the master authentication fails he still can use the slave (= serial) authentication.
My suggestions would be to limit slave authentication in a master/slave setup to special accounts like the default "admin" user and users with the profile "shared" and "guest".
I have a patch for this if you think this is a sane solution.
I am using ajaxplorer 4.3.1.
The text was updated successfully, but these errors were encountered:
I've created a pull request with a solution that tracks if the user has been created by authenticating to the master auth plugin.
This should be a more clean solution as it avoids hardcoding profile or account names that are allowed.
When using a master/slave (ldap/serial) setup ajaxplorer allows users to login even after they have been deleted from LDAP.
The users gets a local (= serial) account when he logs in once.
checkPassword() in plugins/auth.multi/class.multiAuthDriver.php checks both drivers so when logging in though the master authentication fails he still can use the slave (= serial) authentication.
My suggestions would be to limit slave authentication in a master/slave setup to special accounts like the default "admin" user and users with the profile "shared" and "guest".
I have a patch for this if you think this is a sane solution.
I am using ajaxplorer 4.3.1.
The text was updated successfully, but these errors were encountered: