Closed ale-rt closed 4 years ago
NicolasGoeddel
commented
4 years ago The issue is that you can login as john.doe although the correct user name in the active directory is John.Doe. pas.plugins.ldap should reject logins using the wrong case or correct the supplied username according to the username stored in the AD before giving it to Plone.
Plone's username are case sensitive.
ale-rt
commented
4 years ago I made progress on this.
There is a method called id_for_login in node.ext.ldap that should convert the login string to the user id.
It depends on the attribute _login_attr to be set:
ipdb> users.__class__
<class 'node.ext.ldap.ugm._api.Users'>
ipdb> users.authenticate(login, pw)
u'ADMIN'
ipdb> users._login_attr = "sAMAccountName"
ipdb> users.authenticate(login, pw)
u'admin'The _login_attr attribute is not set if the id and login attributes are mapped to the same ldap attribute (in my case sAMAccountName).
https://github.com/bluedynamics/node.ext.ldap/blob/ccf746d613811f7f7f9db17d589b1b5007f85ad5/src/node/ext/ldap/ugm/_api.py#L472-L474
NicolasGoeddel
commented
4 years ago Interesting find. Indeed login and id are mapped to the same LDAP attribute. In our case the reserved keys rdn, id and login are all mapped to cn.
So do you think I simply can change the code from
if cfg.attrmap.get('login') \
and cfg.attrmap['login'] != cfg.attrmap['id']:
self._login_attr = cfg.attrmap['login']to this
if cfg.attrmap.get('login'):
self._login_attr = cfg.attrmap['login']Also does that mean this is a bug in node.ext.ldap?
Edit: I just saw you already filed an issue. I link it here for the record: https://github.com/bluedynamics/node.ext.ldap/issues/55
ale-rt
commented
4 years ago Yeah, sorry... I forgot to add the link :)
rnixx
commented
4 years ago
This is a problem because:
See also https://community.plone.org/t/pas-plugin-ldap-is-case-insensitive-but-plone-is-not/12286