Description

When using Moin with LDAP authentication, you are faced with the following problem:

LDAP authentication is case-insensitive, you can have sAMAccountName (if it's the parameter you check for login) have FirstName.LastName and you can log in with firstname.lastname or FIRSTNAME.LASTNAME: that's ok for me, i found it logical (or at least practical)
Moin account creation is case-sensitive, if you log in (independently of the way it works) with LoginName and loginname you get two accounts created.

Case-sensitiveness is not the problem here, but the fact that if you log against LDAP with firstname.lastname or FirstName.LastName, you are logged with the same account (you're the same person!) but Moin creates two internal accounts, that's disturbing and complicates management (example ACL management).

Steps to reproduce

configure moin to use LDAP authentication
choose a LDAP account and log into Moin with its login name in upper case (like this LOGINNAME)
creates a page, for example your homepage by clicking on your LOGINNAME in the upper left
log out
log in with the same account and password but this time with the login name in lower case (like this loginname)
see that your homepage isn't created

Example

Component selection

general

Details

Workaround

For the moment i don't see any workaround except explain to every LDAP user to always spell their login name the same way.

Discussion

I'm not sure this bug is really a bug, because account case-sensitiviness is a feature¹. But it could be interesting to:

if LDAP auth is used, account creation become case-insensitive or
Moin offers a way to disable case-sensitiviness in account creation, for example via a directive in the config file.

We won't make moin case-insensitive. That is just bad style, slower and only makes trouble all over the place (as you see with ldap, windows, ...).

I'm ok with this as I said before.

What maybe could be done is reading back the username from ldap to see how it really is. Patches are welcome.

You mean, when using ldap auth, connect whatever is the login name used, if it's ok, retrieve a ldap attribute (configurable?) and use it for account creation? I'll try to look if i find where it can be done.

Plan

Priority:
Assigned to:
Status:

CategoryMoinMoinNoBug

isn't it? (1)

MoinMoin: MoinMoinBugs/LdapAuthenticationIsCaseInsensitiveButMoinAccountsAreNot (last edited 2009-04-15 07:07:14 by EricVeirasGalisson)