I am having a problem with the ldap user sync and the accounts being duplicated on the open nebula side.
I have specific groups set for login to open nebula. for my explanation I will use the name john smith.
our convention is first initial last name, so everyones AD users look like this
jsmith
If john logs into open nebula with jsmith, it creates his account and follow the predefined quota defaults as desired. This is great!
if john logs in with Jsmith, it then gives him a new account with it’s own quota
same with JSMITH, JSmith, JsmiTH, JsmiTh, and so on.
this is massive problem as many users have begun to create more then one account after discovering this problem.
can any offer assistance in confirming only the lowercase user can be used or some limitation?
It seems that the active directory is non case sensitive when searching for users. Can you change the file /var/lib/one/remotes/auth/ldap/authenticate around line 98. Change this:
escaped_user=URI_PARSER.escape(user)
into:
escaped_user=URI_PARSER.escape(user).downcase
You don’t need to restart OpenNebula. It should always log into a lower case version of the user name. Does it work?
This fixed my problem. I still had to manually go in and clean out the other case usernames, but they can no longer be created if they did not already exist.
on a funny side note, one of our departments figured this out without notifying IT and had been using it to manipulate their quota for some time (they had atleast 8 extra accounts on their group).
THank you for the prompt and accurate response. is this going to be fixed in the next release of open Nebula?
It looks like I may have missed one thing with this. Having a space before or after the name actually causes the same thing. do you have something that can also prevent them from putting the space in front of or to the rear of their name? so far that is the only other thing that is not fixed.
I have figured this out, one of my developers here at the company actually modified the same file for me and added the .strip command at the end of the user so it looked like this