Labels: Type-Defect Priority-Medium
New issue 1881 by email.app: LDAP does not appear to support multiple login
names for the same account (common with Mac OS X Server)
*NOTE: Do not post confidential information in this bug report.*
What version are you running?
What's the URL of the page containing the problem?
What steps will reproduce the problem?
1. Set up a Mac OS X Server as an Open Directory Master (it uses OpenLDAP I
2. Set up Review Board on another server.
3. Configure Review Board to authenticate via LDAP with the following
LDAP Server: ldap://macosxserver.domain.com
LDAP Base DN: cn=users, dc=domain,dc=com
E-Mail LDAP Attribute: mail
Use TLS for authentication: unchecked
User Mask: (uid=%s)
Anonymous User Mask:
Anonymous User Password:
4. Log in using the "long name" of the user (i.e. "John Doe" instead
of "jdoe"). This is the cn LDAP attribute I believe, but Mac OS X maps
that to uid as well I think.
5. Log in using the "short name" (i.e. "jdoe"). This is the uid LDAP
attribute I believe.
What is the expected output? What do you see instead?
I expected both 4 and 5 to log me into the same user (because they are the
same user on Mac OS X Server). Instead, Review Board treats these as
separate users, and makes separate user entries etc. for them.
What operating system are you using? What browser?
Mac OS X 10.6.5 and Mac OS X Server 10.6.5. Safari 5.0.2.
Please provide any additional information below.
I tried changing the User Mask to "(|(uid=%s)(cn=%s))", but I was no longer
able to log in at all after that.
I tried editing reviewboard/accounts/backends.py like this.
1. Edit the LDAPBackend.get_or_create_user function (method? my Python
vernacular is poor...).
2. Change the line "user = User.objects.get(username=username)" to "user =
3. Delete reviewboard/accounts/backends.pyc.
4. Restart the web service (which is Apache 2 on Mac OS X Server I believe).
There was no change when I did these steps.
This is a followup to
http://code.google.com/p/reviewboard/issues/detail?id=1755 , somehow I
missed the update to that bug.
I'm suggesting that after Review Board authenticates a user, it requests
the user's distinguished name back from the LDAP server because it may be
different from the user ID used to authenticate. While this might be
unusual in the Linux world, it's how Mac OS X has worked for quite awhile,
and it's what my users expect. I don't think this is unusual in Active
Directory environments either for that matter. You would want to do
something like this basically.
$ ldapsearch -LLL -h macosxserver.domain.com -b "cn=users,dc=domain,dc=com"
-x "(uid=John Doe)" dn
Thus you have translated the name the user authenticated with (uid=John
Doe) into their canonical username (dn: uid=jdoe…).
You received this message because you are subscribed to the Google Groups
To post to this group, send email to reviewboard-iss...@googlegroups.com.
To unsubscribe from this group, send email to
For more options, visit this group at