Hello,
RE: LDAP + Username
Currently it seems the only way to login using an LDAP connected server is to
use the/an email address for a user. Whilst this works it breaks the unified
username/password combo that users in our organisation are used to using for
multiple services.
Because of this we find it stops SSO from working, because even if we use the
"strip domain" option, the user.name@ does not always match the username of the
user.
Looking at the source code, there is only one entry in the config
(LDAP_MAIL_ATTR) for an ldap field for 'mail' in this instance, and there is
nothing similar for a username field, and from this I presume that the username
is not used to check the user?
I think I could modify this code to split the user auth out to allow to
username and/or email address to be used for logon which would fix both. But
before I do that I wanted to check that I am not missing something as I may
have to backport these changes for newer versions (unless this is something of
interest in the main branch).
RE: LDAP + Disabled accounts
Currently 1.1.1 allows an account that has been disabled to still login, it has
to be checked manually if an account is disabled. I've seen lots of projects
miss this out it. (Even ESXi didn't fix it until 5.5).
Thanks,
ST
