Hi Manu Yes, I did see that, though I suppose you could argue that there would only really be a problem if, for example, there were 2 John Smiths in 2 different Trac permission groups, or one in a group and one not in a group ... they would also both have to be in the RDNs specified in user_rdn. It would certainly be easy to demonstrate the problem, but how often in reality you would have it I don't know.
My guess is that it would be hard to get around this, since once John Smith is logged in (via LDAP/authz) the information as to which of the John Smiths is logged in, ie the rest of the DN after the username, is lost. Without having that information I don't see how this can ever be 'properly' fixed unfortunately. I think it's a call individual sysadmins need to make; for me the advantages of supporting users in multiple containers outweighs the security implication because I'm pretty certain it's never going to be a problem in our case. By the way - the LdapPlugin is an absolutely excellent tool and makes a huge difference to me in managing Trac. I congratulate you! My intention is not to complain, but to help make an already great tool work better for me. I have just posted a patch to the forum - by all means take some or all of it, if you like it, for the benefit of mankind, or feel free to throw it away. All the best Jim -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Emmanuel Blot Sent: 07 June 2007 02:04 To: [email protected] Subject: [Trac] Re: LdapPlugin: user_rdn support for users in several OUs? Hi Jim, There is an issue here: how to ensure that entries are unique? The problem is that to build a distinguished name (DN), you need the username, plus a RDN. As long as there is a single RDN defined in the plugin configuration that is used to build the DN, we can guarantee that a single username always maps to one unique DN in the LDAP directory (and vice-versa from the LdapPlugin perspective) If you start adding several RDN to build a DN (whatever the way it is implemented), this condition cannot be guaranteed anymore. In other words, if there is one "joe.user" in OU=Technical and another "joe.user" in OU=Management, there is no way to distinguish one from the other, and the permission system would be compromised, one group being picked at random by the system. In order to make it work, you'll have to be sure that there are no two "joe.user" users registered in your enterprise directory, or at least in the common subtree of all RDNs. This kind of bypass the role of the DN in a LDAP directory. You could nevertheless implement such a hack where the plugin would use a list of RDN instead of a single one, and build several DNs with each RDN, and stop on the first match. Keep in mind that this may represent a security issue. HTH, Cheers, Manu (main author of the LdapPlugin) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
