Red Hat Bugzilla – Bug 1271482
openshift-master: user names may not contain "/"
Last modified: 2018-01-08 16:43:14 EST
Description of problem:
Currently, OpenShift Enterprise will not authenticate users that have a "/" un the username.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. configure LDAP authentication
2. create a LDAP user with a forward slash in the name (CN="test/user")
3. try to authenticate
Authentication fails with error: name may not contain "/"
It is possible to define such Common Names in Windows Active Directory 2000+ and there are existing deployments with users already in this format.
This is a limitation of our backing storage that does not allow slashes in names. That means that the `attributes.preferredUsername` cannot currently be pointed at an attribute that contains slashes or you will get that error.
@liggitt do you want to provide a user defined mapping like we've described for the ldap group sync? Support a golang template for deconflicting? Something else more clever?
Assigning to jliggitt while he considers it.
The only usage of / in Active Directory I've seen is a non-normalized form of DOMAIN\username
With your setup, are you able to log in both as test\user and test/user?
I just created a test setup with username testuserwith/slashes.
I'm able to log in as email@example.com or DEMO\testuserwith_slashes which is set as the pre-windows 2000 login name.
The variant testuserwith\slashes will not work as this treats the first word as domain name.
Yes, it is simple to reproduce (log in with username "foo/bar" with the AllowAnyPassword identity provider).
The question is whether we will allow usernames with forward slashes (unlikely), or map identities with forward-slashes in their preferred usernames to a different character.
> The question is whether we will allow usernames with forward slashes (unlikely), or map identities with forward-slashes in their preferred usernames to a different character.
I'm against value-space compression unless we make it configurable in some way. golang templates can do it.
Usernames containing '/' will not be supported. We may support automatically mapping the '/' character to a different character in the future. The workaround would be to specify a different LDAP attribute as the preferred username, whose values do not contain a '/' character (for example, "sAMAccountName", which would populate OpenShift with the "DEMO\testuserwith_slashes" form)
To clarify, OpenShift usernames containing '/' would not be supported. Identity provider usernames containing '/' may be supported in the future by automatically mapping the '/' character to a different character when determining the OpenShift username.
Jordan, thanks for the info.
Does this mean users would be able to at least log in using a username containing a "/"? Or no forward slashes at all withing OpenShift?
If a mapping was added, users could log in with a username containing "/", but their openshift username would not contain a "/"