[ome-users] LDAP plugin: case sensitivity

MEYENHOFER Felix felix.meyenhofer at unifr.ch
Thu Jun 19 11:07:13 BST 2014 

Hi Paul

thanks for letting me discover more information about the topic that I hadn’t discovered yet.


On 18 Jun 2014, at 20:44 , Paul van Schayck <paul at vanschayck.nl> wrote:
> Dear Felix,
> 
> By chance I was also looking into this issue for our setup today. As
> we also have mixed case DN's while the users are unaware of this, and
> normally login with whatever suits them. What I figured out that this
> issue has been reported before [1].
> 
> The workarround posted there involves setting the password provider to
> chainedPasswordProvider431 [2]. This allows you to manually (or
> scripted, how?) set the omero loginname to for example all lowercase.

I would like to avoid this kind of administrative work.

> I've however also been looking if changing mapUserName() in LdapImpl
> might be enough to workarround the problem [3]. Would changing
> .equals() to .equalsIgnoreCase() be ennough? If we guarantee that
> within ldap never two users will exist with the same username but
> different case.

Actually I was hoping there is a way without digging into the source code, but after reading through your references, my impression that the API as it is now might not be generic enough got stronger still.

Ignoring the cases might be one solution. I checked our AD logins for ambiguities when ignoring the cases and there was none in over 17’000 entries. So our system admins are very careful to give each user a distinct login independent of upper and lower cases. My guess would be that it might even be considered best practice not to rely on cases for AD logins.

But we have another issue:
Throughout our University one can use the short name (i.e. login) or the e-mail address to authenticate.

So my suggestion would be to extend the mapping configuration a bit:
1) I should allow multiple attributes to look for the login
2) The mapping of omeName should be separate from the definition of the attributes that are used to identify a user
3) There should be a flag to ignore cases

The following two parameter would be nice to have:
omero.ldap.user_lookup_attributes=cn,displayName
omero.ldap.ignore_case=true

to ensure compatibility: omero.ldap.user_lookup_attributes, if not specified, would be equal to omeName. And ignore_case would be false per default.

> [1] https://trac.openmicroscopy.org.uk/ome/ticket/4821
> [2] http://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.html
> [3] https://github.com/openmicroscopy/openmicroscopy/blob/develop/components/server/src/ome/logic/LdapImpl.java#L180
> 
> Kind regards,
> 
> Paul

Regards, 

Felix

More information about the ome-users mailing list