Fix accidental overwriting of LDAP team memberships (#24050) #24065
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In the `for` loop, the value of `membershipsToAdd[org]` and
`membershipsToRemove[org]` is a slice that should be appended instead of
overwritten.
Due to the current overwrite, the LDAP group sync only matches the last
group at the moment.
## Example reproduction
- an LDAP user is both a member of
`cn=admin_staff,ou=people,dc=planetexpress,dc=com` and
`cn=ship_crew,ou=people,dc=planetexpress,dc=com`.
- configuration of `Map LDAP groups to Organization teams ` in
`Authentication Sources`:
```json
{
"cn=admin_staff,ou=people,dc=planetexpress,dc=com":{
"test_organization":[
"admin_staff",
"test_add"
]
},
"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{
"test_organization":[
"ship_crew"
]
}
```
- start `Synchronize external user data` task in the `Dashboard`.
- the user was only added for the team `test_organization.ship_crew`
delvh
approved these changes
Apr 11, 2023
GiteaBot
added
the
lgtm/need 1
lafriks
approved these changes
Apr 12, 2023
GiteaBot
added
lgtm/done
lunny
added
the
reviewed/wait-merge
GiteaBot
removed
the
reviewed/wait-merge
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport #24050 by @sillyguodong
In the
forloop, the value ofmembershipsToAdd[org]andmembershipsToRemove[org]is a slice that should be appended instead of overwritten.Due to the current overwrite, the LDAP group sync only matches the last group at the moment.
Example reproduction
cn=admin_staff,ou=people,dc=planetexpress,dc=comandcn=ship_crew,ou=people,dc=planetexpress,dc=com.Map LDAP groups to Organization teamsinAuthentication Sources:{ "cn=admin_staff,ou=people,dc=planetexpress,dc=com":{ "test_organization":[ "admin_staff", "test_add" ] }, "cn=ship_crew,ou=people,dc=planetexpress,dc=com":{ "test_organization":[ "ship_crew" ] }Synchronize external user datatask in theDashboard.test_organization.ship_crew