subject:"Re\: \[xwiki\-users\] LDAP auth and username case"

Re: [xwiki-users] LDAP auth and username case

2016-08-11 Thread Stéphane Laurière


Hi Thomas, hi all,

Thomas Mortagne:

On Thu, Aug 11, 2016 at 9:42 AM, Stéphane Laurière  wrote:

Hi all,

I have a question about case sensitivity of usernames in the context of an
LDAP authentication. As far as I understand, LDAP directories are mostly
case insensitive (reference: 'A note about case sensitivity in LDAP' [1]).
XWiki usernames, however, are case sensitive. In order to avoid any
ambiguity with usernames, we are considering to use only lowercase
usernames. Is there a way to force XWiki to use the username as it is stored
in the LDAP directory, case-wise?

The need seems to be marked as fixed at [2]. However, when doing tests with
OpenLDAP, I notice the following (with XWiki 6.4.2):

  - Context: a user with uid 'aliddell' is present in the LDAP directory.
  - Logging in with username 'ALIDDELL' succeeds and a user 'XWiki.ALIDDELL'
gets created (while we'd like to get 'XWiki.aliddell').



  - Subsequent logins with other cases get bound to the existing login
'XWiki.ALIDDELL'.


This is what http://jira.xwiki.org/browse/XWIKI-238 is about: knowning
that ALIDDELL and aliddell is the same thing so don't create a new
user. This is done using an LDAP related object which contains the
reference lower case LDAP uid. But the XWiki user is created based on
the first login (assuming that what the user is mostly going to use).


I see, thank you for the explanation.



I understand that we may rewrite the username in JavaScript but that would
work only with form-based auth. Should we write our own LDAPAuthService to
meet the need ? Or would you have other suggestions?


The easiest in 6.4.2 would be to write your own authenticator class
which extends XWikiLDAPAuthServiceImpl and just overwrite
XWikiLDAPAuthServiceImpl#getValidXWikiUserName with something like
super.getValidXWikiUserName(name).toLowerCase().


OK


For 7.4+ versions don't hesitate add new improvement issue in
http://jira.xwiki.org/browse/LDAP. I guess we could create the XWiki
user name based on the actual uid found in the LDAP server, would
require a bit of refactoring but it should be doable.


OK great. I have added an improvement issue along this line indeed:

  http://jira.xwiki.org/browse/LDAP-21

Cheers

Stéphane




  [1] http://www.zytrax.com/books/ldap/ch2/
  [2] http://jira.xwiki.org/browse/XWIKI-238

Thanks a lot,

Kind regards,

Stéphane

--
Stéphane Laurière
CTO OW2 www.ow2.org
+33 645 816 202 @slauriere






















___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users






--
Stéphane Laurière
CTO OW2 www.ow2.org
+33 645 816 202 @slauriere

___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

Re: [xwiki-users] LDAP auth and username case

2016-08-11 Thread Thomas Mortagne

On Thu, Aug 11, 2016 at 9:42 AM, Stéphane Laurière  wrote:
> Hi all,
>
> I have a question about case sensitivity of usernames in the context of an
> LDAP authentication. As far as I understand, LDAP directories are mostly
> case insensitive (reference: 'A note about case sensitivity in LDAP' [1]).
> XWiki usernames, however, are case sensitive. In order to avoid any
> ambiguity with usernames, we are considering to use only lowercase
> usernames. Is there a way to force XWiki to use the username as it is stored
> in the LDAP directory, case-wise?
>
> The need seems to be marked as fixed at [2]. However, when doing tests with
> OpenLDAP, I notice the following (with XWiki 6.4.2):
>
>   - Context: a user with uid 'aliddell' is present in the LDAP directory.
>   - Logging in with username 'ALIDDELL' succeeds and a user 'XWiki.ALIDDELL'
> gets created (while we'd like to get 'XWiki.aliddell').

>   - Subsequent logins with other cases get bound to the existing login
> 'XWiki.ALIDDELL'.

This is what http://jira.xwiki.org/browse/XWIKI-238 is about: knowning
that ALIDDELL and aliddell is the same thing so don't create a new
user. This is done using an LDAP related object which contains the
reference lower case LDAP uid. But the XWiki user is created based on
the first login (assuming that what the user is mostly going to use).

>
> I understand that we may rewrite the username in JavaScript but that would
> work only with form-based auth. Should we write our own LDAPAuthService to
> meet the need ? Or would you have other suggestions?

The easiest in 6.4.2 would be to write your own authenticator class
which extends XWikiLDAPAuthServiceImpl and just overwrite
XWikiLDAPAuthServiceImpl#getValidXWikiUserName with something like
super.getValidXWikiUserName(name).toLowerCase().

For 7.4+ versions don't hesitate add new improvement issue in
http://jira.xwiki.org/browse/LDAP. I guess we could create the XWiki
user name based on the actual uid found in the LDAP server, would
require a bit of refactoring but it should be doable.

>
>   [1] http://www.zytrax.com/books/ldap/ch2/
>   [2] http://jira.xwiki.org/browse/XWIKI-238
>
> Thanks a lot,
>
> Kind regards,
>
> Stéphane
>
> --
> Stéphane Laurière
> CTO OW2 www.ow2.org
> +33 645 816 202 @slauriere
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ___
> users mailing list
> users@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users

-- 
Thomas Mortagne
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

Re: [xwiki-users] LDAP auth and username case

Re: [xwiki-users] LDAP auth and username case

2 matches

Site Navigation

Mail list logo

Footer information