Re: [gitorious] LDAP authentication with short user names
Thomas Chemineau writes: > I have the same problem as Peter, I currently have several LDAP uid with 2 > characters. > > So, I would like to know if there is still this three-characters limit into > Gitorious. If not, is there a config parameter somewhere to adjust this > limit ? Yes, the limit is still there. If someone feels up to submitting a merge request for this, we'd be happy to merge that (set up custom validation for user accounts when LDAP is being used for authentication; plus a test case demonstrating this). Cheers, - Marius -- -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com --- You received this message because you are subscribed to the Google Groups "Gitorious" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitorious+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [gitorious] LDAP authentication with short user names
Hi, I have the same problem as Peter, I currently have several LDAP uid with 2 characters. So, I would like to know if there is still this three-characters limit into Gitorious. If not, is there a config parameter somewhere to adjust this limit ? Cheers, Thomas. Thomas Chemineau 2012/9/25 Marius Mårnes Mathiesen > On Mon, Sep 24, 2012 at 2:47 PM, Ken Dreyer wrote: > >> On Mon, Sep 24, 2012 at 3:37 AM, Marius Mårnes Mathiesen >> wrote: >> > Although I wasn't around at the time, I would think it either had to do >> with >> > a higher probabilty for uniqueness with a three char username or the >> risk of >> > brute force attacks on shorter usernames? >> >> Thank you. Do you think this is still valid? In other words, would you >> take a patch that drops the username limit from 3 to 2? To address any >> brute-force concerns, maybe the password minimum character limit >> should be increased. >> > > I agree, I'm quite sure such a patch would be accepted :-) > > >> On Mon, Sep 24, 2012 at 5:30 AM, Peter Kjellerstedt >> wrote: >> > You might want to consider making this configurable, given that you >> cannot >> > influence what user names are already in use >> >> Gitorious has so many configuration options already, so perhaps we >> should just change the limit from 3 to 2 and reduce the number of code >> paths to test? >> > > Agreed. > > On Mon, Sep 24, 2012 at 5:41 AM, Marius Mårnes Mathiesen >> wrote: >> > Side note: we're going to have to make some changes to how usernames are >> > validated when using an external authentication provider (like LDAP) >> anyway. >> > We currently substitute any dots in usernames with a dash, but the >> problem >> > here is that this is a lossy process. We have seen LDAP directories >> which >> > use both dashes and dots. One thing to do could be to be more liberal >> when >> > using external authentication systems; do any of you have any thoughts >> on >> > this - eg. what kind of real-world use cases we will need in this >> regard? >> >> Good question. I support Gitorious for a multi-realm Active Directory >> environment. Currently Gitorious' Kerberos+LDAP authentication is only >> enabled for one of the domains, but down the road I want to open it up >> to support users from multiple domains. This will entail supporting >> Gitorious usernames with "@" signs. I've been meaning to look into >> what exactly is blocking "@" signs in Gitorious - I wasn't sure if the >> restriction is related to Rails or not. >> > > Thanks for the input. The only restriction I still remember the motivation > for wrt usernames is the dot: Rails treats dots anywhere in a URL > specially, I think because of the convention of using it to specify a > format. If you'd care experimenting with allowing and using @'s in > usernames I'd love to hear how this works for you. > > Cheers, > - Marius > > -- > To post to this group, send email to gitorious@googlegroups.com > To unsubscribe from this group, send email to > gitorious+unsubscr...@googlegroups.com > -- -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com --- You received this message because you are subscribed to the Google Groups "Gitorious" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitorious+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [gitorious] LDAP authentication with short user names
On Mon, Sep 24, 2012 at 2:47 PM, Ken Dreyer wrote: > On Mon, Sep 24, 2012 at 3:37 AM, Marius Mårnes Mathiesen > wrote: > > Although I wasn't around at the time, I would think it either had to do > with > > a higher probabilty for uniqueness with a three char username or the > risk of > > brute force attacks on shorter usernames? > > Thank you. Do you think this is still valid? In other words, would you > take a patch that drops the username limit from 3 to 2? To address any > brute-force concerns, maybe the password minimum character limit > should be increased. > I agree, I'm quite sure such a patch would be accepted :-) > On Mon, Sep 24, 2012 at 5:30 AM, Peter Kjellerstedt > wrote: > > You might want to consider making this configurable, given that you > cannot > > influence what user names are already in use > > Gitorious has so many configuration options already, so perhaps we > should just change the limit from 3 to 2 and reduce the number of code > paths to test? > Agreed. On Mon, Sep 24, 2012 at 5:41 AM, Marius Mårnes Mathiesen > wrote: > > Side note: we're going to have to make some changes to how usernames are > > validated when using an external authentication provider (like LDAP) > anyway. > > We currently substitute any dots in usernames with a dash, but the > problem > > here is that this is a lossy process. We have seen LDAP directories which > > use both dashes and dots. One thing to do could be to be more liberal > when > > using external authentication systems; do any of you have any thoughts on > > this - eg. what kind of real-world use cases we will need in this regard? > > Good question. I support Gitorious for a multi-realm Active Directory > environment. Currently Gitorious' Kerberos+LDAP authentication is only > enabled for one of the domains, but down the road I want to open it up > to support users from multiple domains. This will entail supporting > Gitorious usernames with "@" signs. I've been meaning to look into > what exactly is blocking "@" signs in Gitorious - I wasn't sure if the > restriction is related to Rails or not. > Thanks for the input. The only restriction I still remember the motivation for wrt usernames is the dot: Rails treats dots anywhere in a URL specially, I think because of the convention of using it to specify a format. If you'd care experimenting with allowing and using @'s in usernames I'd love to hear how this works for you. Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] LDAP authentication with short user names
On Mon, Sep 24, 2012 at 3:37 AM, Marius Mårnes Mathiesen wrote: > Although I wasn't around at the time, I would think it either had to do with > a higher probabilty for uniqueness with a three char username or the risk of > brute force attacks on shorter usernames? Thank you. Do you think this is still valid? In other words, would you take a patch that drops the username limit from 3 to 2? To address any brute-force concerns, maybe the password minimum character limit should be increased. On Mon, Sep 24, 2012 at 5:30 AM, Peter Kjellerstedt wrote: > You might want to consider making this configurable, given that you cannot > influence what user names are already in use Gitorious has so many configuration options already, so perhaps we should just change the limit from 3 to 2 and reduce the number of code paths to test? On Mon, Sep 24, 2012 at 5:41 AM, Marius Mårnes Mathiesen wrote: > Side note: we're going to have to make some changes to how usernames are > validated when using an external authentication provider (like LDAP) anyway. > We currently substitute any dots in usernames with a dash, but the problem > here is that this is a lossy process. We have seen LDAP directories which > use both dashes and dots. One thing to do could be to be more liberal when > using external authentication systems; do any of you have any thoughts on > this - eg. what kind of real-world use cases we will need in this regard? Good question. I support Gitorious for a multi-realm Active Directory environment. Currently Gitorious' Kerberos+LDAP authentication is only enabled for one of the domains, but down the road I want to open it up to support users from multiple domains. This will entail supporting Gitorious usernames with "@" signs. I've been meaning to look into what exactly is blocking "@" signs in Gitorious - I wasn't sure if the restriction is related to Rails or not. - Ken -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] LDAP authentication with short user names
On Mon, Sep 24, 2012 at 1:30 PM, Peter Kjellerstedt < peter.kjellerst...@axis.com> wrote: > You might want to consider making this configurable, given that you cannot > influence what user names are already in use in, e.g., an existing LDAP > directory. E.g., I seriously doubt that our user who has a two letter user > name would consider changing it because of Gitorious given that he has had > it for almost 30 years… Changing Gitorious was a lot easier. ;) > :-) Side note: we're going to have to make some changes to how usernames are validated when using an external authentication provider (like LDAP) anyway. We currently substitute any dots in usernames with a dash, but the problem here is that this is a lossy process. We have seen LDAP directories which use both dashes and dots. One thing to do could be to be more liberal when using external authentication systems; do any of you have any thoughts on this - eg. what kind of real-world use cases we will need in this regard? Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
RE: [gitorious] LDAP authentication with short user names
You might want to consider making this configurable, given that you cannot influence what user names are already in use in, e.g., an existing LDAP directory. E.g., I seriously doubt that our user who has a two letter user name would consider changing it because of Gitorious given that he has had it for almost 30 years... Changing Gitorious was a lot easier. ;) //Peter From: gitorious@googlegroups.com [mailto:gitorious@googlegroups.com] On Behalf Of Marius Mårnes Mathiesen Sent: den 24 september 2012 11:38 To: gitorious@googlegroups.com Subject: Re: [gitorious] LDAP authentication with short user names On Fri, Sep 21, 2012 at 6:42 PM, Ken Dreyer mailto:ktdre...@ktdreyer.com>> wrote: On Fri, Sep 21, 2012 at 6:52 AM, Peter Kjellerstedt mailto:peter.kjellerst...@axis.com>> wrote: > Couldn't you just change the validation in app/models/user.rb that validates > the length of the login to be between 3 and 40 characters to allow 2 to 40 > instead? That is what we have done here... My concern with this approach is that it will be overwritten in future Gitorious version upgrades. That said, usernames of two characters do not seem unreasonable in general. Gitorious devs, any reason for choosing a three-character limit instead of two? Although I wasn't around at the time, I would think it either had to do with a higher probabilty for uniqueness with a three char username or the risk of brute force attacks on shorter usernames? - Marius -- To post to this group, send email to gitorious@googlegroups.com<mailto:gitorious@googlegroups.com> To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com<mailto:gitorious+unsubscr...@googlegroups.com> -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] LDAP authentication with short user names
On Fri, Sep 21, 2012 at 6:42 PM, Ken Dreyer wrote: > On Fri, Sep 21, 2012 at 6:52 AM, Peter Kjellerstedt > wrote: > > Couldn’t you just change the validation in app/models/user.rb that > validates > > the length of the login to be between 3 and 40 characters to allow 2 to > 40 > > instead? That is what we have done here… > > My concern with this approach is that it will be overwritten in future > Gitorious version upgrades. > > That said, usernames of two characters do not seem unreasonable in > general. Gitorious devs, any reason for choosing a three-character > limit instead of two? > Although I wasn't around at the time, I would think it either had to do with a higher probabilty for uniqueness with a three char username or the risk of brute force attacks on shorter usernames? - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] LDAP authentication with short user names
On Fri, Sep 21, 2012 at 6:52 AM, Peter Kjellerstedt wrote: > Couldn’t you just change the validation in app/models/user.rb that validates > the length of the login to be between 3 and 40 characters to allow 2 to 40 > instead? That is what we have done here… My concern with this approach is that it will be overwritten in future Gitorious version upgrades. That said, usernames of two characters do not seem unreasonable in general. Gitorious devs, any reason for choosing a three-character limit instead of two? - Ken -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
RE: [gitorious] LDAP authentication with short user names
Couldn't you just change the validation in app/models/user.rb that validates the length of the login to be between 3 and 40 characters to allow 2 to 40 instead? That is what we have done here... //Peter From: gitorious@googlegroups.com [mailto:gitorious@googlegroups.com] On Behalf Of Marius Mårnes Mathiesen Sent: den 19 september 2012 10:31 To: gitorious@googlegroups.com Subject: Re: [gitorious] LDAP authentication with short user names On Mon, Sep 17, 2012 at 9:16 AM, Andreas Fischer mailto:make.fisc...@googlemail.com>> wrote: Hi all, we finally have successfully setup a gitorious server with LDAP integration. It all works well if the user name is longer than 2 characters. Unfortunately most of our LDAP login names are the initials of the users with only 2 characters (like 'af'). Is there a way to enable short user names in gitorious? Andreas, Would it be possible to use another LDAP attribute which resolves to the username? If not, the best thing to do would be to have conditional validation rules for the username and allow the configuration of this requirement in a configuration file, or to add a custom initializer which overrides the validations for the username. Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com<mailto:gitorious@googlegroups.com> To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com<mailto:gitorious+unsubscr...@googlegroups.com> -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] LDAP authentication with short user names
On Mon, Sep 17, 2012 at 9:16 AM, Andreas Fischer < make.fisc...@googlemail.com> wrote: > Hi all, > > we finally have successfully setup a gitorious server with LDAP > integration. It all works well if the user name is longer than 2 characters. > > Unfortunately most of our LDAP login names are the initials of the users > with only 2 characters (like 'af'). > Is there a way to enable short user names in gitorious? > Andreas, Would it be possible to use another LDAP attribute which resolves to the username? If not, the best thing to do would be to have conditional validation rules for the username and allow the configuration of this requirement in a configuration file, or to add a custom initializer which overrides the validations for the username. Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
[gitorious] LDAP authentication with short user names
Hi all, we finally have successfully setup a gitorious server with LDAP integration. It all works well if the user name is longer than 2 characters. Unfortunately most of our LDAP login names are the initials of the users with only 2 characters (like 'af'). Is there a way to enable short user names in gitorious? Thanks in advance Andi -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com