LDAP based user authentication

Hello folks,

I am using a Enterprise version 1.19.5. I see the LDAP auth in ROR misses out if usernames doesn’t match case.
Can we make users match without case (make it case insensitive) ?

for ex.

  • username: John123
    groups: [ “admins” ]
    ldap_authentication:
    name: ldap1
    cache_ttl_in_sec: 600

And if user logs in as “john123” ROR fails.

1 Like

Sounds like a Windows vs Unix philosophical issue :slight_smile:
We could create a flag in the configuration about this. But because the majority of the LDAP servers are actually Active Directory servers, it would make sense to make case insensitive the default?

WDYT @coutoPL

We could create a flag, but this is not a good idea to make it case insensitive by default.

It breaks the current contract and we could potentially change behaviour of existing configurations after upgrade - for me it could be a potential security hole.

1 Like

Elastic engineers have a good point about this, they were basically willing to introduce string transformations for usernames BEFORE they’re sent to LDAP authentication. I.e. toUppercase/toLowercase/capitalized.

Which makes sense, because the case sensitivity in authentication phase is a trait of the LDAP server, rather than our connector. So the best we can do is normalize the casing of the username before serving to the server.

@praveenmak On the other hand, how about configuring the LDAP server to accept case insensitive user names? Should be possible.