[ome-users] LDAP plugin: case sensitivity

Fri Jun 20 09:38:29 BST 2014

Dear Felix

Thank you for your feedback. I will ad them to the ticket as a valuable
suggestions:

In addition to the parameters we have mapping already in place, see the
doc
http://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.htm
l#user-lookup

omero.ldap.user_mapping=omeName=cn,firstName=givenName,lastName=sn,email=ma
il

Kind regards
Ola

On 19/06/2014 11:07, "MEYENHOFER Felix" <felix.meyenhofer at unifr.ch> wrote:

>Hi Paul
>
>thanks for letting me discover more information about the topic that I
>hadn¹t discovered yet.
>
>
>On 18 Jun 2014, at 20:44 , Paul van Schayck <paul at vanschayck.nl> wrote:
>> Dear Felix,
>>
>> By chance I was also looking into this issue for our setup today. As
>> we also have mixed case DN's while the users are unaware of this, and
>> normally login with whatever suits them. What I figured out that this
>> issue has been reported before [1].
>>
>> The workarround posted there involves setting the password provider to
>> chainedPasswordProvider431 [2]. This allows you to manually (or
>> scripted, how?) set the omero loginname to for example all lowercase.
>
>I would like to avoid this kind of administrative work.
>
>> I've however also been looking if changing mapUserName() in LdapImpl
>> might be enough to workarround the problem [3]. Would changing
>> .equals() to .equalsIgnoreCase() be ennough? If we guarantee that
>> within ldap never two users will exist with the same username but
>> different case.
>
>Actually I was hoping there is a way without digging into the source
>code, but after reading through your references, my impression that the
>API as it is now might not be generic enough got stronger still.
>
>Ignoring the cases might be one solution. I checked our AD logins for
>ambiguities when ignoring the cases and there was none in over 17¹000
>entries. So our system admins are very careful to give each user a
>distinct login independent of upper and lower cases. My guess would be
>that it might even be considered best practice not to rely on cases for
>AD logins.
>
>But we have another issue:
>Throughout our University one can use the short name (i.e. login) or the
>e-mail address to authenticate.
>
>So my suggestion would be to extend the mapping configuration a bit:
>1) I should allow multiple attributes to look for the login
>2) The mapping of omeName should be separate from the definition of the
>attributes that are used to identify a user
>3) There should be a flag to ignore cases
>
>The following two parameter would be nice to have:
>omero.ldap.user_lookup_attributes=cn,displayName
>omero.ldap.ignore_case=true
>
>to ensure compatibility: omero.ldap.user_lookup_attributes, if not
>specified, would be equal to omeName. And ignore_case would be false per
>default.
>
>> [1] https://trac.openmicroscopy.org.uk/ome/ticket/4821
>> [2]
>>http://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.h
>>tml
>> [3]
>>https://github.com/openmicroscopy/openmicroscopy/blob/develop/components/
>>server/src/ome/logic/LdapImpl.java#L180
>>
>> Kind regards,
>>
>> Paul
>
>Regards,
>
>Felix
>_______________________________________________
>ome-users mailing list
>ome-users at lists.openmicroscopy.org.uk
>http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users

The University of Dundee is a registered Scottish Charity, No: SC015096