[I] Cloudstack doesn't validate the account type and Role during ldapCreateAccount [cloudstack]

Tue, 19 Aug 2025 04:53:27 -0700 


kiranchavala opened a new issue, #11472:
URL: https://github.com/apache/cloudstack/issues/11472

   ### problem
   
   CloudStack doesn't validate the account type and Role during  
ldapCreateAccount
   
   ### versions
   
   Acs 4.20.1
   
   
   ### The steps to reproduce the bug
   
   Steps to reproduce the issue 
   
   1. Add a ldap configuration 
   
   <img width="629" height="443" alt="Image" 
src="https://github.com/user-attachments/assets/dafe0887-5a3b-4f5f-8e7d-f120c9487caa";
 />
   
   2. Create domain
   
   <img width="1106" height="580" alt="Image" 
src="https://github.com/user-attachments/assets/03fb4f6f-d424-4b59-a1ba-5ffd9d799834";
 />
   
   3. Link the domain to LDAP , set the account type to 2 which is domainAdmin
   
   <img width="1156" height="659" alt="Image" 
src="https://github.com/user-attachments/assets/20629116-ce80-48dd-91e8-d005b7dfdd3d";
 />
   
   or execute the api
   
   https://cloudstack.apache.org/api/apidocs-4.20/apis/linkDomainToLdap.html
   
   
   
   (localcloud) 🐱 > link domaintoldap 
domainid=394cbde8-efe2-4ef2-bac0-fa5958fa4134 type=GROUP accounttype=2 
ldapdomain=cn=dev-team,ou=Telco-Bng,dc=example,dc=in  admin=admin
   {
     "LinkDomainToLdap": {
       "accounttype": 2,
       "domainid": "394cbde8-efe2-4ef2-bac0-fa5958fa4134",
       "ldapdomain": "cn=qa-team,dc=example,dc=in",
       "name": "cn=qa-team,dc=example,dc=in",
       "type": "GROUP"
     }
   }
   
   
   
   
   
   
   4. Check the database table 
   
   ```
   mysql> select * from ldap_trust_map;
   
+----+-----------+-------+-------------------------------------------+--------------+------------+
   | id | domain_id | type  | name                                      | 
account_type | account_id |
   
+----+-----------+-------+-------------------------------------------+--------------+------------+
   | 22 |        25 | GROUP | cn=dev-team,ou=Telco-Bng,dc=example,dc=in |       
     2 |          0 |
   
   ```
   
   5. Create Ldap account 
   
   https://cloudstack.apache.org/api/apidocs-4.20/apis/ldapCreateAccount.html
   
   select the roletype to user 
   
   6. Account is created with user role type 
   
   <img width="1639" height="605" alt="Image" 
src="https://github.com/user-attachments/assets/f8023cd3-0fc5-428a-a81a-c227f313a512";
 />
   
   
   ### What to do about it?
   
   CloudStack should validate the role and account type 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to