Page MenuHomePhabricator

LDAP username change does not update externalaccount table
Closed, DuplicatePublic

Description

My Active Directory registered users cannot login to Phabricator after their usernames have been changed.

To reproduce:

  • Register user in Phabricator via LDAP import
  • User can login to Phabricator sucessfully
  • Change user's username in Active Directory
  • Update user's username in Phabricator - People - Manage - Change Username
  • User cannot now login to Phabricator with updated username
  • Manually change username in MySQL phabricator_user.user_externalaccount.username
  • User can now login to Phabricator with the updated username

Version:
phabricator 2f93ce4c25be997ce862247a58038f9a196843f2 (Sun, Nov 6)
arcanist fad85844314b151994769a461825c90f7400c145 (Sat, Oct 22)
phutil e409df2720c262076da73e3d888094341d8ff431 (Fri, Nov 4)

Event Timeline

This isn't a bug. Here's an example of why the proposed behavior is dangerous:

  • Alice, a compromised administrator, wants to gain access to Bob's account.
  • Alice changes her Phabricator username to qwzyuxx.
  • Alice changes Bob's username to alice.
  • Alice logs out, then logs in using her LDAP credentials.
  • Alice now controls Bob's account.

I'm going to merge this into T4279.