Task #4821 (new)
Opened 13 years ago
Last modified 10 years ago
LDAP: Improve username case senitivity support — at Version 5
| Reported by: | jamoore | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | OMERO-Beta4.4.1 |
| Component: | Security | Version: | 5.0.2 |
| Keywords: | n.a. | Cc: | jburel, jamoore, CJW@…, cblackburn, bpindelski, mtbcarroll, pwalczysko |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | n.a. |
| Sprint: | n.a. |
Description (last modified by atarkowska)
OMERO is currently quite strict with regard to LDAP username enforcement:
/**
* Mapping a username to an {@link Experimenter}. This handles checking the
* username for case exactness. This should be done at the LDAP level, but
* Apache DS (the testing framework used) does not yet support :caseExactMatch:.
*
* When it does, the check here can be removed.
*
* @param username
* @param mapper
* @return a non null Experimenter.
* @see ticket:2557
*/
private Experimenter mapUserName(String username, PersonContextMapper mapper) {
Filter filter = config.usernameFilter(username);
List<Experimenter> p = ldap.search("", filter.encode(), mapper);
if (p.size() == 1 && p.get(0) != null) {
Experimenter e = p.get(0);
if (e.getOmeName().equals(username)) {
return p.get(0);
}
}
throw new ApiUsageException(
"Cannot find unique DistinguishedName: found=" + p.size());
}
There might should be a flag to optionally allow users to "mis-capitalize" their names. However, then there will need to be a case-insensitive UNIQUE constraint on the experimenter.omeName table.
See: http://lists.openmicroscopy.org.uk/pipermail/ome-users/2011-March/002587.html
So my suggestion would be to extend the mapping configuration a bit:
1) I should allow multiple attributes to look for the login
2) The mapping of omeName should be separate from the definition of the attributes that are used to identify a user
3) There should be a flag to ignore cases
The following two parameter would be nice to have:
omero.ldap.user_lookup_attributes=cn,displayName
omero.ldap.ignore_case=true
to ensure compatibility: omero.ldap.user_lookup_attributes, if not specified, would be equal to omeName. And ignore_case would be false per default.
See: http://lists.openmicroscopy.org.uk/pipermail/ome-users/2014-June/004517.html
Change History (5)
comment:1 Changed 13 years ago by jmoore
- Cc CJW@… sylittlewood added
- Milestone changed from Unscheduled to OME-5.0
- Priority changed from minor to major
comment:2 Changed 12 years ago by jmoore
comment:3 Changed 12 years ago by jmoore
- Milestone changed from OMERO-Beta4.4 to OMERO-Beta4.4.1
Won't be changed for 4.4.0
comment:4 Changed 12 years ago by jmoore
Referencing ticket #8344 has changed sprint.
comment:5 Changed 10 years ago by atarkowska
- Description modified (diff)
- Version set to 5.0.2
Work on #6248 broke the workaround which Chris Wood had put into place for this issue. (See http://lists.openmicroscopy.org.uk/pipermail/ome-users/2011-September/002808.html) I'm moving this to "OME-5.0" i.e. the next version, so that we can add a backwards compatible ldapPasswordProvider as we should have done when fixing #6248. E.g:
I've pushed a workaround to my "ldap-4821" branch: https://github.com/joshmoore/openmicroscopy/tree/ldap-4821