Symptoms

In CQ 5.3, when ldap authentication is enabled and a CQ5 user's group membership is removed by an administrator then if the membership was acquired via the jaas configuration's autocreate.user.membership setting then the membership to this group will be re-added on the user"s next login. In 5.2.1 the group membership was not re-added on subsequent logins.

To explain this more clearly, here is a scenario to demonstrate:
Assume that autocreate.user.membership="site-users" in the jaas configuration, the site-users group already exists in CQ5 and has ACLs set for editing all pages.

  1. LDAP User jdoe logs into CQ5.2.1 author for the first time
    • Upon login, the system creates user jdoe in CQ5 and makes him a member of the site-users group
  2. User admin logs into CQ5 and removes jdoe's membership to the site-users group.
    • Now jdoe is no longer a member of site-users.
  3. jdoe logs into CQ5 author again
    • In CQ 5.3 - site-users membership is re-added to the user jdoe after he logs in again.
    • In CQ 5.2.x - the user membership does not change (i.e. he is still not a member of site-users).

Resolution

This functionality was intentionally changed in CQ5.3. For further information, please see the documentation here.

Applies to

CQ 5.2.x to 5.3 Upgrade

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy