09f9dc31a81e254d16f843b296b4a594158c8f61 |
|
17-Jun-2014 |
Jake Feasel <jake.feasel@forgerock.com> |
OPENIDM-1953 -
Disabling MANAGED_USER auth module for several samples, in favor of PASSTHROUGH to system/ldap/account
Just toggled a boolean config value; no review necessary. Rationale for change:
Previously, we attempted to authenticate using MANAGED_USER first, followed by a few others and then
finally PASSTHROUGH. The reason it was first created it this way was so that if there was a fully-
populated managed/user entry, it would not need to query the remote system. This works fine if you
are syncing passwords between managed/user and the remote backend, but as mentioned in OPENIDM-1953,
that isn't always the case. To compound this problem, there is also the new function around role
calculation; this is per-auth module, and so if you want to calculate roles for a given user you would
need to do it for both MANAGED_USER and PASSTHROUGH, if they were both enabled. This redundancy is
annoying and a likely source of confusion. So, this change is to just disable the MANAGED_USER auth
module, and always use the PASSTHROUGH config. |