[Product-Developers] Too much case sensitivity (LDAPMultiPlugins, PASSSL)

Alberto Lopes alberto at alopes.com
Thu Aug 7 18:08:22 UTC 2008


Dear fellas,

I am working on a setup in which I am using a modified PASSSL and PloneLDAP
to authenticate a user using client certificate, extracting a LDAP username
from the certificate and getting a User object from a LDAP server, searching
by the mentioned username.

Here is the problem I stumbled upon: the certificates are used for Windows
authentication (the LDAP server as an MS-AD), so the only previous use of
that username was for Windows logon. Windows does not care about case in the
user login (it does for password). 

Several users had their certificates issued with case discrepancies between
their certificates and their AD accounts (a user could have username FoO in
the AD and fOo in the certificate). 

That does not affect certificate authentication (which is done by Apache),
nor user finding by LDAPMultiPlugins, but it is an issue when I give local
roles to a user in a Plone item using the sharing display of the item.

What I understand that is happening is that the username that gets compared
against the list of "local roled" users is the username from the
certificate, and they don't match (because of case differences).

So, what I think it should be the solution is to make the "username
matching" case insensitive, when Plone tries to decide whether the username
matches against the other. Hopefully, maybe it is just a matter of changing
somewhere something like "if username = currentUsername" by "if
upper_case(username) = upper_case(currentUsername)"

I know this will break Plone in terms of not allowing the occurrence of
Plone users with same characters but different cases, but that does not
bothers me for two reasons: first, we are only using LDAP users and second,
I think it would be too messy anyway to allow logins JohnDoe and johndoe as
different users.

Can anyone give me a hint on which .py to change, and where?

Regards, 

Albie
-- 
View this message in context: http://n2.nabble.com/Too-much-case-sensitivity-%28LDAPMultiPlugins%2C-PASSSL%29-tp679232p679232.html
Sent from the Product Developers mailing list archive at Nabble.com.





More information about the Product-Developers mailing list