Dear fellas, I am working on a setup in which I am using a modified PASSSL and PloneLDAP to authenticate a user using client certificate, extracting a LDAP username from the certificate and getting a User object from a LDAP server, searching by the mentioned username.
Here is the problem I stumbled upon: the certificates are used for Windows authentication (the LDAP server as an MS-AD), so the only previous use of that username was for Windows logon. Windows does not care about case in the user login (it does for password). Several users had their certificates issued with case discrepancies between their certificates and their AD accounts (a user could have username FoO in the AD and fOo in the certificate). That does not affect certificate authentication (which is done by Apache), nor user finding by LDAPMultiPlugins, but it is an issue when I give local roles to a user in a Plone item using the sharing display of the item. What I understand that is happening is that the username that gets compared against the list of "local roled" users is the username from the certificate, and they don't match (because of case differences). So, what I think it should be the solution is to make the "username matching" case insensitive, when Plone tries to decide whether the username matches against the other. Hopefully, maybe it is just a matter of changing somewhere something like "if username = currentUsername" by "if upper_case(username) = upper_case(currentUsername)" I know this will break Plone in terms of not allowing the occurrence of Plone users with same characters but different cases, but that does not bothers me for two reasons: first, we are only using LDAP users and second, I think it would be too messy anyway to allow logins JohnDoe and johndoe as different users. Can anyone give me a hint on which .py to change, and where? Regards, Albie -- View this message in context: http://n2.nabble.com/Too-much-case-sensitivity-%28LDAPMultiPlugins%2C-PASSSL%29-tp679232p679232.html Sent from the Product Developers mailing list archive at Nabble.com. _______________________________________________ Product-Developers mailing list [email protected] http://lists.plone.org/mailman/listinfo/product-developers
