I may have found an error on LDAP implementation :
According to the tests I made :
When you log into MIQ for the first time :
It looks into the local database for a user/password
If not found, it looks into LDAP, and if found stores all information
(including encrypted password) in the local database.
Next time you log into MIQ :
It looks into the local database : login/password are found, so you can
But now, let’s imagine that you change your password
(yes, it sometimes happens…)
Look into the local database : login / password non existent
Look into the LDAP : user found with right password
[----] I, [2016-04-06T08:43:01.509959 #2962:fcb994] INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [ng38dcd] - User xx\xxxxxxx successfully validated by LDAP)
As no user was found in the local database, it considers that it is a
new user, so it tries to create a new user in the local database :
[----] I, [2016-04-06T08:43:01.533925 #2962:fcb994] INFO -- : MIQ(User#current_group=) User: [firstname.lastname@example.org] Assigning Role: [EvmRole-user] from Group: [EvmGroup-user]
But… there is already one with tis mail address, so => error !
[----] E, [2016-04-06T08:43:01.654937 #2962:fcb994] ERROR -- : [ActiveRecord::RecordInvalid]: Validation failed: Userid has already been taken Method:[rescue in authenticate]
So the user cannot log anymore after changing his password ?