Description

When using Moin with LDAP authentication, you are faced with the following problem:

• LDAP authentication is case-insensitive, you can have sAMAccountName (if it's the parameter you check for login) have FirstName.LastName and you can log in with firstname.lastname or FIRSTNAME.LASTNAME: that's ok for me, i found it logical (or at least practical)

• Moin account creation is case-sensitive, if you log in (independently of the way it works) with LoginName and loginname you get two accounts created.

Case-sensitiveness is not the problem here, but the fact that if you log against LDAP with firstname.lastname or FirstName.LastName, you are logged with the same account (you're the same person!) but Moin creates two internal accounts, that's disturbing and complicates management (example ACL management).

Steps to reproduce

1. configure moin to use LDAP authentication

2. choose a LDAP account and log into Moin with its login name in upper case (like this LOGINNAME)

3. creates a page, for example your homepage by clicking on your LOGINNAME in the upper left

4. log out

5. log in with the same account and password but this time with the login name in lower case (like this loginname)

6. see that your homepage isn't created

Example

Component selection

• general

Details

Workaround

One workaround is to explain to every LDAP user to always spell their login name the same way. Murphy disagrees with this. -k-method

Another solution is to patch the login.py userform such that the user is forced to enter a lowercase username. This workaround is only suitable for new installations or installations where all existing usernames are lowercase (or have been converted to lowercase in advance). If there are already accounts which contain usernames with uppercase chars then it will not be possible to login to those accounts. -k-method

Here is the patch:

   1 --- a/moin-1.9.8/MoinMoin/userform/login.py     Fri Oct 17 20:45:32 2014
   2 +++ b/moin-1.9.8/MoinMoin/userform/login.py     Fri May 22 12:38:38 2015
   3 @@ -39,7 +39,7 @@
   4              hint = authm.login_hint(request)
   5              if hint:
   6                  hints.append(hint)
   7 -        self._form = html.FORM(action=action, name="loginform", id="loginform")
   8 +        self._form = html.FORM(action=action, name="loginform", id="loginform", onsubmit="return checkForm(this);")
   9          self._table = html.TABLE(border="0")
  10  
  11          # Use the user interface language and direction
  12 @@ -54,7 +54,7 @@
  13  
  14          cfg = request.cfg
  15          if 'username' in cfg.auth_login_inputs:
  16 -            self.make_row(_('Name'), [
  17 +            self.make_row(_('Windows Username'), [
  18                  html.INPUT(
  19                      type="text", size="32", name="name",
  20                  ),
  21 @@ -66,6 +66,18 @@
  22                      type="password", size="32", name="password",
  23                  ),
  24              ])
  25 +
  26 +        self._form.append("""<script type="text/javascript">
  27 +        function checkForm(form) {
  28 +            if(form.name.value.match(/[A-Z]/)) {
  29 +                alert("Your username must not contain upper case characters."); 
  30 +                form.name.focus();
  31 +                return false;
  32 +            }
  33 +            return true;
  34 +        }
  35 +        </script>
  36 +        """)
  37  
  38          # Restrict type of input available for OpenID input
  39          # based on wiki configuration.

Please note: this patch changes the prompt from "Name" to "Windows Username" on the login form. I assume that it's only windows installations where this is a problem. I'm not aware of any other popular operating systems that have case insensitive usernames. -k-method

Please also note: this is clearly not a permanent solution to this very real problem. It's a temporary work-around that works very well for the MoinMoin installation at the company I work for. -k-method

Discussion

I'm not sure this bug is really a bug, because account case-sensitiviness is a feature¹. But it could be interesting to:

• if LDAP auth is used, account creation become case-insensitive or
• Moin offers a way to disable case-sensitiviness in account creation, for example via a directive in the config file.

We won't make moin case-insensitive. That is just bad style, slower and only makes trouble all over the place (as you see with ldap, windows, ...).

• I'm ok with this as I said before.

What maybe could be done is reading back the username from ldap to see how it really is. Patches are welcome.

• You mean, when using ldap auth, connect whatever is the login name used, if it's ok, retrieve a ldap attribute (configurable?) and use it for account creation? I'll try to look if i find where it can be done.

Plan

• Priority:
• Assigned to:
• Status:

CategoryMoinMoinNoBug