Project

General

Profile

Bug #11407

Uppercase logins coming from LDAP break external user groups sync

Added by Daniel Lobato Garcia almost 4 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Category:
Authentication
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

When an user, say "DanielLobato" in LDAP gets an account in Foreman, the login is automatically downcased to "daniellobato". This causes issues when external user groups refresh, as we perform a 'where' query on User, using the logins from LDAP to check what users belong in an external user group. So by calling User.where { :name => ['DanielLobato'] } on usergroup.rb, we will get no results and the user 'daniellobato' will be left unsynced.

Associated revisions

Revision 2ef6f4da (diff)
Added by Daniel Lobato Garcia over 3 years ago

Fixes #11407 - Uppercase logins from LDAP break external user group sync

On LDAP the login can contain uppercase chars, for instance, "FOO". However
when we log in Foreman for the first time and have that account auto-created,
we can login using "foo". After that, our login will be saved as "foo" on
Foreman.

When a user group that contains said group is refreshed, we pull the names
from LDAP, auth_source.users_in_group(name). This will return an array
containing "FOO". After that, we will call usergroup.add_users(["FOO"])
which in turn calls User.where(:login => ["FOO"]). This will be empty since
our login in the database is "foo".

This commit fixes this issue in two places:
One, by saving the login as it comes from LDAP (case aware), so that
in the previous example 'FOO' would've been saved even if the user had
try to login as 'foo'.

Two, by making add_users and remove_users case insensitive.

Revision 05b5cf34 (diff)
Added by Daniel Lobato Garcia over 3 years ago

Fixes #11407 - Uppercase logins from LDAP break external user group sync

On LDAP the login can contain uppercase chars, for instance, "FOO". However
when we log in Foreman for the first time and have that account auto-created,
we can login using "foo". After that, our login will be saved as "foo" on
Foreman.

When a user group that contains said group is refreshed, we pull the names
from LDAP, auth_source.users_in_group(name). This will return an array
containing "FOO". After that, we will call usergroup.add_users(["FOO"])
which in turn calls User.where(:login => ["FOO"]). This will be empty since
our login in the database is "foo".

This commit fixes this issue in two places:
One, by saving the login as it comes from LDAP (case aware), so that
in the previous example 'FOO' would've been saved even if the user had
try to login as 'foo'.

Two, by making add_users and remove_users case insensitive.

(cherry picked from commit 2ef6f4da99a4375e7d4600da62d6ba011e7467d4)

History

#1 Updated by Daniel Lobato Garcia almost 4 years ago

  • Bugzilla link set to 1238442

#2 Updated by The Foreman Bot almost 4 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2616 added
  • Pull request deleted ()

#3 Updated by Dominic Cleal over 3 years ago

  • Category changed from Authorization to Authentication
  • Assignee set to Daniel Lobato Garcia
  • Legacy Backlogs Release (now unused) set to 72

#4 Updated by Daniel Lobato Garcia over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#5 Updated by Dominic Cleal over 3 years ago

  • Legacy Backlogs Release (now unused) changed from 72 to 88

Also available in: Atom PDF