Error on LDAP after password change

Hello all,

I may have found an error on LDAP implementation :

According to the tests I made :

When you log into MIQ for the first time :

  •   It looks into the local database for a user/password
  •   If not found, it looks into LDAP, and if found stores all information

(including encrypted password) in the local database.

Next time you log into MIQ :

  •   It looks into the local database : login/password are found, so you can


But now, let’s imagine that you change your password
(yes, it sometimes happens…)

  •   Look into the local database : login / password non existent
  •   Look into the LDAP : user found with right password 

[----] I, [2016-04-06T08:43:01.509959 #2962:fcb994] INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [ng38dcd] - User xx\xxxxxxx successfully validated by LDAP)

  •   As no user was found in the local database, it considers that it is a

new user, so it tries to create a new user in the local database :
[----] I, [2016-04-06T08:43:01.533925 #2962:fcb994] INFO -- : MIQ(User#current_group=) User: [xxxxxxx@xx.xxxxxx.corp] Assigning Role: [EvmRole-user] from Group: [EvmGroup-user]

  •   But… there is already one with tis mail address, so => error ! 

[----] E, [2016-04-06T08:43:01.654937 #2962:fcb994] ERROR -- : [ActiveRecord::RecordInvalid]: Validation failed: Userid has already been taken Method:[rescue in authenticate]

So the user cannot log anymore after changing his password ?

@dmetzger can you review this question by @Merrick28 and forward to a SME if necessary.

@abellotti is this something you can address?

For authentication type LDAP*, other than admin, user is bound to external directory (username/password check). i.e. we don’t bind locally then try again externally. When creating the user object for that user with authentication type LDAP (or External Auth), we don’t store the password internally (and shouldn’t).

What is your authentication mode, User Type and other Ldap Settings specified. Role Settings, i.e. Get User Groups from LDAP, etc. is also of interest.

This may be related to a different issue though. @Joe_Vlcek has been looking at this code lately and may have a fresher insight to this w.r.t. userid’s used for user objects.