Task #4821 (closed)
Opened 13 years ago
Closed 10 years ago
LDAP: Improve username case sensitivity support
Reported by: | jamoore | Owned by: | bpindelski |
---|---|---|---|
Priority: | critical | Milestone: | 5.1.0-m2 |
Component: | Security | Version: | 5.0.2 |
Keywords: | n.a. | Cc: | jburel, jamoore, CJW@…, cblackburn, bpindelski, mtbcarroll, pwalczysko |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | n.a. |
Description (last modified by atarkowska)
OMERO is currently quite strict with regard to LDAP username enforcement:
/** * Mapping a username to an {@link Experimenter}. This handles checking the * username for case exactness. This should be done at the LDAP level, but * Apache DS (the testing framework used) does not yet support :caseExactMatch:. * * When it does, the check here can be removed. * * @param username * @param mapper * @return a non null Experimenter. * @see ticket:2557 */ private Experimenter mapUserName(String username, PersonContextMapper mapper) { Filter filter = config.usernameFilter(username); List<Experimenter> p = ldap.search("", filter.encode(), mapper); if (p.size() == 1 && p.get(0) != null) { Experimenter e = p.get(0); if (e.getOmeName().equals(username)) { return p.get(0); } } throw new ApiUsageException( "Cannot find unique DistinguishedName: found=" + p.size()); }
There might should be a flag to optionally allow users to "mis-capitalize" their names. However, then there will need to be a case-insensitive UNIQUE constraint on the experimenter.omeName table.
See: http://lists.openmicroscopy.org.uk/pipermail/ome-users/2011-March/002587.html
So my suggestion would be to extend the mapping configuration a bit:
- I should allow multiple attributes to look for the login
- The mapping of omeName should be separate from the definition of the attributes that are used to identify a user
- There should be a flag to ignore cases
The following two parameter would be nice to have:
omero.ldap.user_lookup_attributes=cn,displayName
omero.ldap.ignore_case=true
to ensure compatibility: omero.ldap.user_lookup_attributes, if not specified, would be equal to omeName. And ignore_case would be false per default.
See: http://lists.openmicroscopy.org.uk/pipermail/ome-users/2014-June/004517.html
Change History (17)
comment:1 Changed 13 years ago by jmoore
- Cc CJW@… sylittlewood added
- Milestone changed from Unscheduled to OME-5.0
- Priority changed from minor to major
comment:2 Changed 12 years ago by jmoore
comment:3 Changed 12 years ago by jmoore
- Milestone changed from OMERO-Beta4.4 to OMERO-Beta4.4.1
Won't be changed for 4.4.0
comment:4 Changed 12 years ago by jmoore
Referencing ticket #8344 has changed sprint.
comment:5 Changed 10 years ago by atarkowska
- Description modified (diff)
- Version set to 5.0.2
comment:6 Changed 10 years ago by atarkowska
- Description modified (diff)
comment:7 Changed 10 years ago by atarkowska
- Cc jburel jamoore added; saloynton sylittlewood removed
- Milestone changed from 5.x to 5.1.0-m1
- Owner set to bpindelski
- Priority changed from major to critical
comment:8 Changed 10 years ago by atarkowska
This issue becuase critical for Virtual Microscope. People just do not remember about capital initials.
LDAP/AD offer case insensitivity as an option. In UoD all LDAP and AD systems are case insensitive where is only allowed one entry for username with the mix of upper and lower case (example: CN=JSmith, ou=...). Unfortunately current PasswordProvider and OMERO username mapping are not designed to deal with insensitivity.
Initially discussed with @bpindelski
comment:9 Changed 10 years ago by atarkowska
LDAP usecase:
- CN=JSmith, user should be able to log in as jsmith, JSMITH, etc.
OMERO user usecase:
- if omero.case.insensitive = true username: jsmith, JSMITH, etc should be only one user in the DB.
comment:10 Changed 10 years ago by jamoore
- Cc cblackburn bpindelski mtbcarroll pwalczysko added; cxallan removed
- Milestone changed from 5.1.0-m1 to 5.1.0-m2
Chatted to Blazej briefly. +1 for making an initial configuration option which will simply disable the hard-coded case check in OMERO, leaving it enabled by default. That should hopefully get Ola what she needs for testing on the virtual microscope system. After that, we'll likely need to come back to the testing issue for LDAP knowing that any change to the default configuration tends to have a huge impact.
Moving to m2 since m1 is likely to happen very, very soon.
comment:11 Changed 10 years ago by bpindelski
Initial work started on https://github.com/bpindelski/openmicroscopy/tree/4821_ldap_case.
comment:12 Changed 10 years ago by bpindelski
comment:13 Changed 10 years ago by bpindelski
- Summary changed from LDAP: Improve username case senitivity support to LDAP: Improve username case sensitivity support
comment:14 Changed 10 years ago by bpindelski
Initial PR now open https://github.com/openmicroscopy/openmicroscopy/pull/3078.
comment:15 Changed 10 years ago by bpindelski
Second part (user_lookup_attributes) of this ticket is being being developed on https://github.com/bpindelski/openmicroscopy/commits/4821_lookup_attrs. One blocker present, which has been described in the commit message.
comment:16 Changed 10 years ago by bpindelski
This ticket could be closed as it stands. The major part mentioned in the title (case sensitivity) is now an experimental feature in the mainline. The configurable lookup attributes might not be possible until a bigger review of the password provider API happens (and reliance on "omeName" is reduced).
comment:17 Changed 10 years ago by bpindelski
- Resolution set to fixed
- Status changed from new to closed
Closing. Remaining task moved to https://trac.openmicroscopy.org.uk/ome/ticket/12604.
Work on #6248 broke the workaround which Chris Wood had put into place for this issue. (See http://lists.openmicroscopy.org.uk/pipermail/ome-users/2011-September/002808.html) I'm moving this to "OME-5.0" i.e. the next version, so that we can add a backwards compatible ldapPasswordProvider as we should have done when fixing #6248. E.g:
I've pushed a workaround to my "ldap-4821" branch: https://github.com/joshmoore/openmicroscopy/tree/ldap-4821