Hello @mbatz ,
I would like to point out that when the ldap module is enabled, a new user, logging in for the first time with his ldap account (according to the standard), creates an account.
Everything is great as long as I log in according to the login policy.
However, if the user makes a mistake (in the login) or does it on purpose and enters it incorrectly, such an account is also created when ldap is enabled.
Shouldn’t the module first check if such an account exists, and then decide whether to set up an account or not?
It seems to me that a properly functioning mechanism should verify whether the account in the ldap exists. If not, it should not allow for setting up a datagerry account for such a login.
Currently, when a person enters a login that has nothing to do with the ldap policy and enters a password for such login, an account is created and the person is admitted to the program:
log from file webapp.log
2020-10-15 07:32:53][ERROR ] — [AUTH] jeden not in database: User not found (init.py)
[2020-10-15 07:32:53][INFO ] — [AUTH] Check for other providers - request_user: jeden (init.py)
[2020-10-15 07:32:53][INFO ] — [LocalAuthenticationProvider] Try login for user jeden (internal_providers.py)
[2020-10-15 07:32:53][ERROR ] — [AUTH] User jeden could not validate with provider <class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’>: (‘LocalAuthenticationProvider’, ‘Error while GET operation - E: $User not found’) (init.py)
[2020-10-15 07:32:53][INFO ] — [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7fee8addb400> (init.py)
[2020-10-15 07:32:57][WARNING ] — [LdapAuthenticationProvider] User exists on LDAP but not in database: User not found (external_providers.py)
[2020-10-15 07:32:57][INFO ] — [LdapAuthenticationProvider] Try creating user: jeden (external_providers.py)
and can log on to this data in the program all the time, and if the default permissions for this group are quite high, such a person can maliciously do damage or steal data.
Please check this and fix it