tchapi
commented
2 months ago Hi @shizmob and thanks for the report
Very interesting that LDAP has this specific behavior, didn't know it.
Although 3. seems interesting, casefolding to make this possible would require quite a bit of though, and, as you say, would not be backward-compatible.
I'd be in favour of 2., ie getting the actual answer of the LDAP server and use that as the database username. This abstracts the actual case change to the LDAP server itself, not to Davis, while making it mostly transparent for the end user.
First of all, thanks a lot for your work on Davis, it's been very useful so far.
As per X.520, which describes some common attributes as used in LDAP, sometimes attributes used to construct an LDAP DN, like
uid(§6.17.1), are case-insensitive.In my setup,
uidis the primary way users are addressed in a DN:As the username on Davis's side is case-sensitive, this leads to a nasty side-effect: the casing used by the user matters when logging in!
When logging in with the username
shiz, the system will not find a user with that name in the database, branch out to LDAP to retrieve the user, and succesfully auto-create the user. So far so good. However, if the user later attempts to log in with the usernameShiz, this process will repeat and a duplicate userShizwill be created, as the LDAP backend matches case-insensitively. This is very confusing for the user as everything appears to be going well, but suddenly their calendars are gone.I've made an issue instead of directly submitting a pull request, as I can imagine a few different ways forward:
LDAPAuth;Does any of these options make sense to you, or do you have a better way in mind this problem could be resolved?