Closed ale-rt closed 4 years ago
The issue is that you can login as john.doe
although the correct user name in the active directory is John.Doe
. pas.plugins.ldap
should reject logins using the wrong case or correct the supplied username according to the username stored in the AD before giving it to Plone.
Plone's username are case sensitive.
I made progress on this.
There is a method called id_for_login
in node.ext.ldap
that should convert the login string to the user id.
It depends on the attribute _login_attr
to be set:
ipdb> users.__class__
<class 'node.ext.ldap.ugm._api.Users'>
ipdb> users.authenticate(login, pw)
u'ADMIN'
ipdb> users._login_attr = "sAMAccountName"
ipdb> users.authenticate(login, pw)
u'admin'
The _login_attr
attribute is not set if the id and login attributes are mapped to the same ldap attribute (in my case sAMAccountName
).
https://github.com/bluedynamics/node.ext.ldap/blob/ccf746d613811f7f7f9db17d589b1b5007f85ad5/src/node/ext/ldap/ugm/_api.py#L472-L474
Interesting find. Indeed login
and id
are mapped to the same LDAP attribute. In our case the reserved keys rdn
, id
and login
are all mapped to cn
.
So do you think I simply can change the code from
if cfg.attrmap.get('login') \
and cfg.attrmap['login'] != cfg.attrmap['id']:
self._login_attr = cfg.attrmap['login']
to this
if cfg.attrmap.get('login'):
self._login_attr = cfg.attrmap['login']
Also does that mean this is a bug in node.ext.ldap
?
Edit: I just saw you already filed an issue. I link it here for the record: https://github.com/bluedynamics/node.ext.ldap/issues/55
Yeah, sorry... I forgot to add the link :)
This is a problem because:
See also https://community.plone.org/t/pas-plugin-ldap-is-case-insensitive-but-plone-is-not/12286