Camelcased username is returned lowercased

Jump to: navigation, search

Hello, FIRST, thank you for your wonderful extension.

We are using Mediawiki 0.18.0, LDAPAUTHVERSION=1.2e.

As for Clausekwis, we need $wgLDAPUseLocal because we want to grant certain rights to both specific internal (LDAP) and external (local) users.

There seems to be a problem with local accounts having capital characters in the middle of there username (like 'FirstMiddleLast'): such created users are "not registered" (when editing User:FirstMiddleLast), and we can't grant them any rights (Special:Permissions -> contributor not found).

Steps to reproduce:

  1. setup mediawiki + LDAP instance
    1. with $wgLDAPUseLocal=true
    2. with local 'Admin' user
  2. login as 'Admin/LdapDomain' (yes, /LdapDomain !)
  3. create local 'FirstMiddleLast' user
  4. list users (Special:UserList)
  5. click 'FirstMiddleLast'
  6. see 'User account "FirstMiddleLast" is not registered' warning

After some digging, I found that it only works when I am logged in with the 'local' domain ($wsDomain="local"). My question is: why, when looking for a given user, check for the domain of the currently logged in user ? And why not store the domain (user-specific) into the database ?

Here's a kind of stack trace to explain how I came to this conclusion:

includes/Article.php:function showMissingArticle():
$user = User::newFromName( $rootPart, false /* allow IP users*/ );
includes/User.php:function newFromName( $name, $validate = 'valid' ):
$name = self::getCanonicalName( $name, $validate );
includes/User.php:function getCanonicalName( $name, $validate = 'valid' ):
              global $wgAuth;
              $name = $wgAuth->getCanonicalName( $t->getText() );

extensions/LdapAuthentication/LdapAuthentication.php:
  function getCanonicalName( $username ) {
  // ...
    if ( isset( $_SESSION['wsDomain'] ) && 'local' != $_SESSION['wsDomain'] ) {
        $username = strtolower( $username );
    }

The problem is that the username is returned lowercased (with the first character upcased) which should not happen for local accounts.

I believe there are no plans to support $wgLDAPUseLocal further, but I'll be glad to know a better way to have both LDAP and external (local) accounts.

As a workaround, we ended up imposing lowercased usernames (like 'first.middle.last').

Foudfou20:18, 6 December 2011

You can add the users to another OU, then have LDAP use that OU as another domain. It's a *way* better solution that using the local database as a fallback, which is really meant as a temporarily solution to migrating all users to LDAP.

Another alternative is to have some form of web sso, like SAML, where you can do federation. Many of these systems support OpenID, which means you could use the OpenID extension, and then limit access to people by taking rights away from the user group and adding them to a group you manage.

There's a ton of ways to handle this, which is why I don't support using $wgLDAPUseLocal as a long term measure.

Ryan lane04:57, 27 December 2011
 
Retrieved from "http://www.mediawiki.org/wiki/Thread:Extension_talk:LDAP_Authentication/Camelcased_username_is_returned_lowercased#Camelcased_username_is_returned_lowercased_10166"
Personal tools

Variants
Actions
Navigation
Support
Download
Development
Communication
Toolbox