Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug][Cache Refresh] CR cannot remove both user entries mirrored from a backend and created at IdP itself (when "Keep external persons" feature is disabled) if they have been used to log in recently, because of them having subordinate entries. #158

Closed
aliaksander-samuseu opened this issue Dec 20, 2015 · 1 comment
Closed

[Bug][Cache Refresh] CR cannot remove both user entries mirrored from a backend and created at IdP itself (when "Keep external persons" feature is disabled) if they have been used to log in recently, because of them having subordinate entries. #158

aliaksander-samuseu opened this issue Dec 20, 2015 · 1 comment
Assignees
@yurem
Labels
bug

Comments

@aliaksander-samuseu
Copy link
Contributor

This issue supposed to be fixed by now. Adding this report just for history and for future references

Happens when you have local user accounts at IDP and has logged in to them just before unsetting this checkbox. The subordinate entry is called "ou=clientAuthorizations". Please see attached error trace. Otherwise (when this sub-entry is removed manually, or wasn't there at all) feature works correctly. I didn't try to wait and observe for a longer time, so may be this sub-entry is removed automatically after some time-out.
Added later:
It appears that CR has the same problem when trying to remove users entries which were mirrored from some user entry in a backend LDAP directory (after later was removed from a backend), if those entries has been used at least once to log in at IdP before. So now it completely blocks CR's ability to remove stale user entries from internal storage, at least for some time. Check
this log fragment for full error message.
Added later:
I've just verified that despite CR-mirrored internal user entries aren't removed due to this bug when their source entries are removed from a backend, their mapping data (both in cache on disk and in "site" context of the internal LDAP directory) is removed. There won't even be any warnings in logs anymore, aside from initial one which is provided in attachments here. Which can create issue with conformance to different privacy standards if this initial error message is went unnoticed, as was mentioned by this user: https://support.gluu.org/view/identity-management/does-cache-refresh-delete-users-in-internal-opendj-when-deleted-on-external-ldap/2250
I think it rises an issue of its own - shouldn't removal of all these data (actual user entry and mapping data) be conducted as a single atomic transaction?
@aliaksander-samuseu
Copy link
Contributor Author

Wrote by Yuriy M:
CR should use recursive method to remove user sub entries.
I commited the fix: GluuFederation/oxTrust: 6d0543d
It's simple becauase I added method to remove entry with sub entries already :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yurem yurem

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yurem @aliaksander-samuseu