#35 Duplicate DNs can end up in the gpt_user table

open
nobody
Security (2)
5
2012-12-31
2012-12-31
Rafael Bedia
No

Sometimes when logging in for the first time using LDAP the following error occurs in the log:

SEVERE [com.esri.gpt.framework.util.LogUtil] (http--0.0.0.0-8080-6) An error occured while evaluating single sign-on credentials for: admin: com.esri.gpt.framework.security.identity.IdentityException: Integrity violation within local user table: multiple references to same DN

This prevents the user from using the system.

I think the problem is in LocalDao.ensureReferenceToRemoteUser(User user). It first checks the database to see if the DN already has a corresponding user. If the user does not exist then it is created. The problem is that in the time between seeing if the user exists and deciding to create the user another thread could have run the same check and already inserted the user. This leads to two users with the same DN.

I would suggest fixing this by adding a unique constraint to the gpt_user.dn field since having multiple users with the same DN is not allowed. I have provided a patch for doing this for PostgreSQL since that is what I am able to test with.

The other half of the fix is to catch the unique constraint violation during user insert and gracefully continuing execution since the user already exists and the desired behavior of LocalDao.ensureReferenceToRemoteUser(User user) is to have the user exist. I have patched LocalDao.java accordingly.

Discussion

  • Rafael Bedia
    Rafael Bedia
    2012-12-31

    Patch to fix the multiple DN violation bug

     
    Attachments