When using an LDAP server as the authentication provider, duplicate user accounts can be created inside Warp.
By default, the user's DN is case-insensitive (this can be defined in the LDAP schema). Thus, the user can sign in successfully with any combination of capital and lowercase letters matching his username. For example, Username, userName, and username are all valid and accepted. However, as Warp stores the username in a case-sensitive manner, this allows the creation of multiple accounts within Warp for the same LDAP user.
Treating the username as lowercase by default (i.e., by calling .lower() on the login argument) solves the issue. Nevertheless, I don't know if that is the best solution. For the case where the LDAP DN is case-sensitive, this solution will result in different usernames stored with Postgres. If .lower() is executed before calling the LDAP server, as shown below, this will result in an authentication error if the DN includes any capital letter.
Possible Solution
--- a/warp/auth_ldap.py
+++ b/warp/auth_ldap.py
@@ -207,7 +207,7 @@ def login():
if flask.request.method == 'POST':
- u = flask.request.form.get('login')
+ u = flask.request.form.get('login').lower()
p = flask.request.form.get('password')
LDAP_EXCLUDED_USERS = flask.current_app.config.get('LDAP_EXCLUDED_USERS', [])
When using an LDAP server as the authentication provider, duplicate user accounts can be created inside Warp.
By default, the user's DN is case-insensitive (this can be defined in the LDAP schema). Thus, the user can sign in successfully with any combination of capital and lowercase letters matching his username. For example,
Username
,userName
, andusername
are all valid and accepted. However, as Warp stores the username in a case-sensitive manner, this allows the creation of multiple accounts within Warp for the same LDAP user.Treating the username as lowercase by default (i.e., by calling
.lower()
on the login argument) solves the issue. Nevertheless, I don't know if that is the best solution. For the case where the LDAP DN is case-sensitive, this solution will result in different usernames stored with Postgres. If.lower()
is executed before calling the LDAP server, as shown below, this will result in an authentication error if the DN includes any capital letter.Possible Solution