Task #4821 (new)
Opened 13 years ago
Last modified 10 years ago
LDAP: Improve username case senitivity support — at Version 5
Reported by: | jamoore | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | OMERO-Beta4.4.1 |
Component: | Security | Version: | 5.0.2 |
Keywords: | n.a. | Cc: | jburel, jamoore, CJW@…, cblackburn, bpindelski, mtbcarroll, pwalczysko |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | n.a. |
Description (last modified by atarkowska)
OMERO is currently quite strict with regard to LDAP username enforcement:
/** * Mapping a username to an {@link Experimenter}. This handles checking the * username for case exactness. This should be done at the LDAP level, but * Apache DS (the testing framework used) does not yet support :caseExactMatch:. * * When it does, the check here can be removed. * * @param username * @param mapper * @return a non null Experimenter. * @see ticket:2557 */ private Experimenter mapUserName(String username, PersonContextMapper mapper) { Filter filter = config.usernameFilter(username); List<Experimenter> p = ldap.search("", filter.encode(), mapper); if (p.size() == 1 && p.get(0) != null) { Experimenter e = p.get(0); if (e.getOmeName().equals(username)) { return p.get(0); } } throw new ApiUsageException( "Cannot find unique DistinguishedName: found=" + p.size()); }
There might should be a flag to optionally allow users to "mis-capitalize" their names. However, then there will need to be a case-insensitive UNIQUE constraint on the experimenter.omeName table.
See: http://lists.openmicroscopy.org.uk/pipermail/ome-users/2011-March/002587.html
So my suggestion would be to extend the mapping configuration a bit:
1) I should allow multiple attributes to look for the login
2) The mapping of omeName should be separate from the definition of the attributes that are used to identify a user
3) There should be a flag to ignore cases
The following two parameter would be nice to have:
omero.ldap.user_lookup_attributes=cn,displayName
omero.ldap.ignore_case=true
to ensure compatibility: omero.ldap.user_lookup_attributes, if not specified, would be equal to omeName. And ignore_case would be false per default.
See: http://lists.openmicroscopy.org.uk/pipermail/ome-users/2014-June/004517.html
Change History (5)
comment:1 Changed 13 years ago by jmoore
- Cc CJW@… sylittlewood added
- Milestone changed from Unscheduled to OME-5.0
- Priority changed from minor to major
comment:2 Changed 12 years ago by jmoore
comment:3 Changed 12 years ago by jmoore
- Milestone changed from OMERO-Beta4.4 to OMERO-Beta4.4.1
Won't be changed for 4.4.0
comment:4 Changed 12 years ago by jmoore
Referencing ticket #8344 has changed sprint.
comment:5 Changed 10 years ago by atarkowska
- Description modified (diff)
- Version set to 5.0.2
Work on #6248 broke the workaround which Chris Wood had put into place for this issue. (See http://lists.openmicroscopy.org.uk/pipermail/ome-users/2011-September/002808.html) I'm moving this to "OME-5.0" i.e. the next version, so that we can add a backwards compatible ldapPasswordProvider as we should have done when fixing #6248. E.g:
I've pushed a workaround to my "ldap-4821" branch: https://github.com/joshmoore/openmicroscopy/tree/ldap-4821