Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #4821 (closed)

Opened 13 years ago

Closed 9 years ago

LDAP: Improve username case sensitivity support

Reported by: jamoore Owned by: bpindelski
Priority: critical Milestone: 5.1.0-m2
Component: Security Version: 5.0.2
Keywords: n.a. Cc: jburel, jamoore, CJW@…, cblackburn, bpindelski, mtbcarroll, pwalczysko
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description (last modified by atarkowska)

OMERO is currently quite strict with regard to LDAP username enforcement:

    /**
     * Mapping a username to an {@link Experimenter}. This handles checking the
     * username for case exactness. This should be done at the LDAP level, but
     * Apache DS (the testing framework used) does not yet support :caseExactMatch:.
     *
     * When it does, the check here can be removed.
     *
     * @param username
     * @param mapper
     * @return a non null Experimenter.
     * @see ticket:2557
     */
    private Experimenter mapUserName(String username, PersonContextMapper mapper) {
        Filter filter = config.usernameFilter(username);
        List<Experimenter> p = ldap.search("", filter.encode(), mapper);

        if (p.size() == 1 && p.get(0) != null) {
            Experimenter e = p.get(0);
            if (e.getOmeName().equals(username)) {
                return p.get(0);
            }
        }
        throw new ApiUsageException(
                    "Cannot find unique DistinguishedName: found=" + p.size());

    }

There might should be a flag to optionally allow users to "mis-capitalize" their names. However, then there will need to be a case-insensitive UNIQUE constraint on the experimenter.omeName table.

See: http://lists.openmicroscopy.org.uk/pipermail/ome-users/2011-March/002587.html


So my suggestion would be to extend the mapping configuration a bit:

  • I should allow multiple attributes to look for the login
  • The mapping of omeName should be separate from the definition of the attributes that are used to identify a user
  • There should be a flag to ignore cases

The following two parameter would be nice to have:
omero.ldap.user_lookup_attributes=cn,displayName
omero.ldap.ignore_case=true

to ensure compatibility: omero.ldap.user_lookup_attributes, if not specified, would be equal to omeName. And ignore_case would be false per default.

See: http://lists.openmicroscopy.org.uk/pipermail/ome-users/2014-June/004517.html

Change History (17)

comment:1 Changed 13 years ago by jmoore

  • Cc CJW@… sylittlewood added
  • Milestone changed from Unscheduled to OME-5.0
  • Priority changed from minor to major

Work on #6248 broke the workaround which Chris Wood had put into place for this issue. (See http://lists.openmicroscopy.org.uk/pipermail/ome-users/2011-September/002808.html) I'm moving this to "OME-5.0" i.e. the next version, so that we can add a backwards compatible ldapPasswordProvider as we should have done when fixing #6248. E.g:

  <bean id="431chainedPasswordProvider" ... > <!-- previous logic -->

  <bean id="chainedPasswordProvider" ...> <!-- 4.3.2 logic -->

I've pushed a workaround to my "ldap-4821" branch: https://github.com/joshmoore/openmicroscopy/tree/ldap-4821

comment:3 Changed 12 years ago by jmoore

  • Milestone changed from OMERO-Beta4.4 to OMERO-Beta4.4.1

Won't be changed for 4.4.0

comment:4 Changed 12 years ago by jmoore

Referencing ticket #8344 has changed sprint.

comment:5 Changed 10 years ago by atarkowska

  • Description modified (diff)
  • Version set to 5.0.2

comment:6 Changed 10 years ago by atarkowska

  • Description modified (diff)

comment:7 Changed 10 years ago by atarkowska

  • Cc jburel jamoore added; saloynton sylittlewood removed
  • Milestone changed from 5.x to 5.1.0-m1
  • Owner set to bpindelski
  • Priority changed from major to critical

comment:8 Changed 10 years ago by atarkowska

This issue becuase critical for Virtual Microscope. People just do not remember about capital initials.

LDAP/AD offer case insensitivity as an option. In UoD all LDAP and AD systems are case insensitive where is only allowed one entry for username with the mix of upper and lower case (example: CN=JSmith, ou=...). Unfortunately current PasswordProvider and OMERO username mapping are not designed to deal with insensitivity.

Initially discussed with @bpindelski

comment:9 Changed 10 years ago by atarkowska

LDAP usecase:

  • CN=JSmith, user should be able to log in as jsmith, JSMITH, etc.

OMERO user usecase:

  • if omero.case.insensitive = true username: jsmith, JSMITH, etc should be only one user in the DB.

comment:10 Changed 10 years ago by jamoore

  • Cc cblackburn bpindelski mtbcarroll pwalczysko added; cxallan removed
  • Milestone changed from 5.1.0-m1 to 5.1.0-m2

Chatted to Blazej briefly. +1 for making an initial configuration option which will simply disable the hard-coded case check in OMERO, leaving it enabled by default. That should hopefully get Ola what she needs for testing on the virtual microscope system. After that, we'll likely need to come back to the testing issue for LDAP knowing that any change to the default configuration tends to have a huge impact.

Moving to m2 since m1 is likely to happen very, very soon.

comment:13 Changed 10 years ago by bpindelski

  • Summary changed from LDAP: Improve username case senitivity support to LDAP: Improve username case sensitivity support

comment:15 Changed 9 years ago by bpindelski

Second part (user_lookup_attributes) of this ticket is being developed on https://github.com/bpindelski/openmicroscopy/commits/4821_lookup_attrs. One blocker present, which has been described in the commit message.

Last edited 9 years ago by bpindelski (previous) (diff)

comment:16 Changed 9 years ago by bpindelski

This ticket could be closed as it stands. The major part mentioned in the title (case sensitivity) is now an experimental feature in the mainline. The configurable lookup attributes might not be possible until a bigger review of the password provider API happens (and reliance on "omeName" is reduced).

comment:17 Changed 9 years ago by bpindelski

  • Resolution set to fixed
  • Status changed from new to closed

Closing. Remaining task moved to https://trac.openmicroscopy.org.uk/ome/ticket/12604.

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.72361 sec.)

We're Hiring!