Bug 586435 - Request case sensitive/insensitive option for LDAP Configuration
Summary: Request case sensitive/insensitive option for LDAP Configuration
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RHQ Project
Classification: Other
Component: Configuration
Version: 1.3.1
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
: ---
Assignee: Simeon Pinder
QA Contact: Satish Mohan
URL:
Whiteboard:
Depends On:
Blocks: jon24-ldap 578348
TreeView+ depends on / blocked
 
Reported: 2010-04-27 15:00 UTC by dsteigne
Modified: 2018-10-27 16:11 UTC (History)
2 users (show)

Fixed In Version: 2.4
Clone Of:
Environment:
Last Closed: 2010-08-12 16:46:04 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 535603 0 medium CLOSED LDAP case insensitive authentication may lead to unwanted users 2021-02-22 00:41:40 UTC

Internal Links: 535603

Description dsteigne 2010-04-27 15:00:59 UTC 
Description of problem:
 
My client has their JON setup to authenticate against an MS Active Directory.  Their AD server is configured for case insensitive user accounts (u123 & U123 are the same).  When a user attempts to login with the alternate capitalization, then they are prompted to register another JON account.

There should be an option for JON accounts to be case insensitive to match the LDAP server's configuration.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Simeon Pinder 2010-04-30 13:23:57 UTC 
I have reproduced this and found that this has been a reported problem for a while.  See http://jira.rhq-project.org/browse/RHQ-2281 for earlier reported bug on this.

The problem can be summarized as follows:
In RHQ both 'username' and 'password' fields are case sensitive. For ldap the 'userid' field which maps to RHQ 'username' is case insensitive by default and has been that way for LDAP for a while. See excerpt below:  

------------ LDAP SCHEMA EXCERPT------------------------------------
#
# Derived from RFC1274, but with new "short names"
#
attributetype ( 0.9.2342.19200300.100.1.1
   NAME ( 'uid' 'userid' )
   DESC 'RFC1274: user identifier'
   EQUALITY caseIgnoreMatch
   SUBSTR caseIgnoreSubstringsMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
------------ LDAP SCHEMA EXCERPT------------------------------------

Solution: The solution is not to make usernames case insensitive throughout RHQ, but to modify the LDAP RHQ integration code to ignore case when LDAP logins are occurring.  This means that when an ldap user logs in now with "Test.User" but they have already logged in as "test.user" before, the code will locate the previous RHQ account, log the occurrence and attempt to login again with those same credentials.

This has been fixed in master builds >= 272, with 

git commit hash: 14371b8ab9271598d798b32f236a4fed586ff491

To test:
Login with ldap username "test.user" and register.
Login agin with ldap username "TEST.user". You login name should be test.user and not require you to login as a new RHQ user.
Comment 2 gneelaka@redhat.com 2010-05-03 14:16:42 UTC 
verified #123 Revision 10615

1)Login to rhq as LDAP user test.
2)register the user in RHQ.
3)Logout and login LDAP user with below combinations

a)Test
b)TEST
c)tesT


observation: Login is successful without being asked for another registration for all the combinations.
Comment 4 Corey Welton 2010-08-12 16:46:04 UTC 
Mass-closure of verified bugs against JON.
Note You need to log in before you can comment on or make changes to this bug.