Hi,
On a same databse, we have 2 AD_Client_ID.
We authenticate ourselves using LDAP.
I've found that if 2 distinct users of 2 distinct AD_Client got the same LDAP user, it is always the same AD_User_ID which is put in the context.
Thus you can login into a society using a AD_User of another one !!!
It seems that Login set first the user and only after the society !
(tested in Swing and webUI, not in mobile, but i think it should apply also)
What would be the best to do ?
- Stop using LDAP for one of the two ?
- Modifying login in order to verify that the AD_User_ID you are using is related to the AD_Client_ID ?
- In that particular case, add a listBox to select the correct AD_User_ID on the Default tab ?
- ???
WDYT ?
Regards,
Yan
LDAP
Forum rules
This forum is personally pruned to avoid redundant posts. Related topics are grouped together. IF YOU HAVE REGISTERED, you need to send email to red1(a)red1.org with your username in the subject title to get me to activate you.
This forum is personally pruned to avoid redundant posts. Related topics are grouped together. IF YOU HAVE REGISTERED, you need to send email to red1(a)red1.org with your username in the subject title to get me to activate you.
15 posts
• Page 1 of 1
Re: LDAP
by yansolo » Mon Oct 10, 2011 11:05 pm
Yes, that would be efficient.
but doesn't it sound like a bug ?
If login find that 2 users of 2 AD_Client are compatible with a single LDAP authentication, it should ask for selecting the AD_Client before selecting the AD_User_ID.
WDYT ?
Thanks,
Yan
but doesn't it sound like a bug ?
If login find that 2 users of 2 AD_Client are compatible with a single LDAP authentication, it should ask for selecting the AD_Client before selecting the AD_User_ID.
WDYT ?
Thanks,
Yan
- yansolo
- Posts: 48
- Joined: Tue Mar 22, 2011 9:28 pm
Re: LDAP
by globalqss » Tue Oct 11, 2011 1:24 am
As the LDAP is configured per system (not per client) I think the original idea is that you must ensure that 2 users cannot have the same ID. So, I see what you're proposing as an enhancement.
I don't remember the exact location - but I remember I saw a proposal to move the LDAP server from system to client - that could be something interesting to make Adempiere more multi-tenant.
Regards,
Carlos Ruiz
I don't remember the exact location - but I remember I saw a proposal to move the LDAP server from system to client - that could be something interesting to make Adempiere more multi-tenant.
Regards,
Carlos Ruiz
- globalqss
- Senior
- Posts: 590
- Joined: Thu Dec 29, 2005 4:15 am
- Location: Bogotá, Colombia
Re: LDAP
by yansolo » Wed Oct 12, 2011 2:43 pm
ok, It's interesting, but i'm in the opposite case : a single LDAP for 2 tenants
Maybe i could had a new listbox in the login tab where the user could select the tenant he wants to log in when some ad_user_id share the same ldap name
Regards,
Yan
Maybe i could had a new listbox in the login tab where the user could select the tenant he wants to log in when some ad_user_id share the same ldap name
Regards,
Yan
- yansolo
- Posts: 48
- Joined: Tue Mar 22, 2011 9:28 pm
Re: LDAP
by globalqss » Wed Oct 12, 2011 8:55 pm
I see the benefit of your idea - although I think in a SaaS environment is not desirable to show a list of tenants on login window (you'll be disclosing all your customers).
A possible intermediate solution could be to ask for a "client key".
That could be done in a configurable way:
- show client list on login
- ask client key on login
- don't ask client (same as today)
Regards,
Carlos Ruiz
A possible intermediate solution could be to ask for a "client key".
That could be done in a configurable way:
- show client list on login
- ask client key on login
- don't ask client (same as today)
Regards,
Carlos Ruiz
- globalqss
- Senior
- Posts: 590
- Joined: Thu Dec 29, 2005 4:15 am
- Location: Bogotá, Colombia
Re: LDAP
by nmicoud » Wed Oct 26, 2011 10:18 pm
hi,
I've developped a fix to this issue.
I check if the AD_Client_ID of the user which has been set into the context is the same as the AD_Client_ID that is selected in the combobox.
If yes, nothing change.
Otherwise, i search for the correct AD_User_ID, according to some conditions (LDAP, Role_ID >0, ...) and then put this "new" user into the context.
Would you be interested in ?
Should i create a jira ticket ?
Regards,
Nicolas
I've developped a fix to this issue.
I check if the AD_Client_ID of the user which has been set into the context is the same as the AD_Client_ID that is selected in the combobox.
If yes, nothing change.
Otherwise, i search for the correct AD_User_ID, according to some conditions (LDAP, Role_ID >0, ...) and then put this "new" user into the context.
Would you be interested in ?
Should i create a jira ticket ?
Regards,
Nicolas
- nmicoud
- Regular
- Posts: 124
- Joined: Fri Oct 07, 2011 6:19 pm
Re: LDAP
by nmicoud » Fri Nov 11, 2011 5:39 am
I would like to know if the fix will be incorporated in the release ?
Just to know if i should wait for it (not hurry) or if i'd better use it as a customization of our version.
Thanks and regards,
Nicolas
Just to know if i should wait for it (not hurry) or if i'd better use it as a customization of our version.
Thanks and regards,
Nicolas
- nmicoud
- Regular
- Posts: 124
- Joined: Fri Oct 07, 2011 6:19 pm
15 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests