Bug 1271482 - openshift-master: user names may not contain "/"
openshift-master: user names may not contain "/"
Status: NEW
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
3.0.0
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Jordan Liggitt
Chuan Yu
https://github.com/openshift/origin/b...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-14 02:58 EDT by Evgheni Dereveanchin
Modified: 2016-10-31 00:51 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Evgheni Dereveanchin 2015-10-14 02:58:04 EDT
Description of problem:
Currently, OpenShift Enterprise will not authenticate users that have a "/" un the username.

Version-Release number of selected component (if applicable):
3.0.2.0

How reproducible:
Always

Steps to Reproduce:
1. configure LDAP authentication
2. create a LDAP user with a forward slash in the name (CN="test/user")
3. try to authenticate

Actual results:
Authentication fails with error: name may not contain "/"

Expected results:
Authentication successful

Additional info:
It is possible to define such Common Names in Windows Active Directory 2000+ and there are existing deployments with users already in this format.
Comment 1 David Eads 2015-10-14 11:11:33 EDT
This is a limitation of our backing storage that does not allow slashes in names.  That means that the `attributes.preferredUsername` cannot currently be pointed at an attribute that contains slashes or you will get that error.

@liggitt do you want to provide a user defined mapping like we've described for the ldap group sync?  Support a golang template for deconflicting?  Something else more clever?
Comment 2 David Eads 2015-10-14 11:42:10 EDT
Assigning to jliggitt while he considers it.
Comment 3 Jordan Liggitt 2015-10-29 10:03:23 EDT
The only usage of / in Active Directory I've seen is a non-normalized form of DOMAIN\username

With your setup, are you able to log in both as test\user and test/user?
Comment 4 Evgheni Dereveanchin 2015-10-30 07:47:36 EDT
Hello,

I just created a test setup with username testuserwith/slashes.

I'm able to log in as testuserwith/slashes@demo.lan or DEMO\testuserwith_slashes which is set as the pre-windows 2000 login name.

The variant testuserwith\slashes will not work as this treats the first word as domain name.
Comment 6 Jordan Liggitt 2015-11-27 15:36:46 EST
Yes, it is simple to reproduce (log in with username "foo/bar" with the AllowAnyPassword identity provider).

The question is whether we will allow usernames with forward slashes (unlikely), or map identities with forward-slashes in their preferred usernames to a different character.
Comment 7 David Eads 2015-11-30 08:21:29 EST
> The question is whether we will allow usernames with forward slashes (unlikely), or map identities with forward-slashes in their preferred usernames to a different character.


I'm against value-space compression unless we make it configurable in some way.  golang templates can do it.
Comment 9 Jordan Liggitt 2016-01-04 21:11:54 EST
Usernames containing '/' will not be supported. We may support automatically mapping the '/' character to a different character in the future. The workaround would be to specify a different LDAP attribute as the preferred username, whose values do not contain a '/' character (for example, "sAMAccountName", which would populate OpenShift with the "DEMO\testuserwith_slashes" form)
Comment 10 Jordan Liggitt 2016-01-04 21:13:03 EST
To clarify, OpenShift usernames containing '/' would not be supported. Identity provider usernames containing '/' may be supported in the future by automatically mapping the '/' character to a different character when determining the OpenShift username.
Comment 11 Evgheni Dereveanchin 2016-01-21 05:54:18 EST
Jordan, thanks for the info.
Does this mean users would be able to at least log in using a username containing a "/"? Or no forward slashes at all withing OpenShift?
Comment 12 Jordan Liggitt 2016-01-22 16:08:54 EST
If a mapping was added, users could log in with a username containing "/", but their openshift username would not contain a "/"

Note You need to log in before you can comment on or make changes to this bug.