On Thu, Sep 26, 2013 at 4:44 AM, Ralf Haferkamp <rha...@suse.de> wrote:
>
> As Dolph already suggested we should not allow usernames that just differ
> in
> capitalization ("JDoe" vs. "jdoe") to co-exist. (Which could be an
> argument
> for handling users case-insensitive in general)
>
This enforcement should be handled by the LDAP server if the organization
thinks it's important to have users with names unique without respect for
capitalization. LDAP servers can also enforce normal security enhancers
like password strength, expiration, and locking out users after invalid
logins that the SQL backend doesn't support.
My recommendation is that Keystone should get away from dealing with
creating/updating users to avoid reinventing the wheel (and making a wheel
that's missing bells and whistles). If comparing user names is a problem,
let's limit it to our custom SQL backend and not let it spread to other
more featureful backends.
- Brant
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
