Symptoms
In CQ 5.3, when ldap authentication is enabled and a CQ5 user's group membership is removed by an administrator then if the membership was acquired via the jaas configuration's autocreate.user.membership
setting then the membership to this group will be re-added on the user"s next login. In 5.2.1 the group membership was not re-added on subsequent logins.
To explain this more clearly, here is a scenario to demonstrate:
Assume that autocreate.user.membership="site-users"
in the jaas configuration, the site-users group already exists in CQ5 and has ACLs set for editing all pages.
- LDAP User jdoe logs into CQ5.2.1 author for the first time
- Upon login, the system creates user jdoe in CQ5 and makes him a member of the site-users group
- User admin logs into CQ5 and removes jdoe's membership to the site-users group.
- Now jdoe is no longer a member of site-users.
- jdoe logs into CQ5 author again
- In CQ 5.3 - site-users membership is re-added to the user jdoe after he logs in again.
- In CQ 5.2.x - the user membership does not change (i.e. he is still not a member of site-users).
Resolution
This functionality was intentionally changed in CQ5.3. For further information, please see the documentation here.
Applies to
CQ 5.2.x to 5.3 Upgrade