Ldap user duplication with case is changed

pg.rnealy · May 24, 2017, 3:06pm

Hello everyone,

I am having a problem with the ldap user sync and the accounts being duplicated on the open nebula side.

I have specific groups set for login to open nebula. for my explanation I will use the name john smith.
our convention is first initial last name, so everyones AD users look like this

jsmith

If john logs into open nebula with jsmith, it creates his account and follow the predefined quota defaults as desired. This is great!

if john logs in with Jsmith, it then gives him a new account with it’s own quota
same with JSMITH, JSmith, JsmiTH, JsmiTh, and so on.

this is massive problem as many users have begun to create more then one account after discovering this problem.
can any offer assistance in confirming only the lowercase user can be used or some limitation?

jfontan · May 24, 2017, 4:43pm

It seems that the active directory is non case sensitive when searching for users. Can you change the file /var/lib/one/remotes/auth/ldap/authenticate around line 98. Change this:

escaped_user=URI_PARSER.escape(user)

into:

escaped_user=URI_PARSER.escape(user).downcase

You don’t need to restart OpenNebula. It should always log into a lower case version of the user name. Does it work?

pg.rnealy · May 24, 2017, 6:11pm

This fixed my problem. I still had to manually go in and clean out the other case usernames, but they can no longer be created if they did not already exist.

on a funny side note, one of our departments figured this out without notifying IT and had been using it to manipulate their quota for some time (they had atleast 8 extra accounts on their group).

THank you for the prompt and accurate response. is this going to be fixed in the next release of open Nebula?

pg.rnealy · June 28, 2017, 9:20pm

It looks like I may have missed one thing with this. Having a space before or after the name actually causes the same thing. do you have something that can also prevent them from putting the space in front of or to the rear of their name? so far that is the only other thing that is not fixed.

pg.rnealy · June 29, 2017, 7:24pm

I have figured this out, one of my developers here at the company actually modified the same file for me and added the .strip command at the end of the user so it looked like this

escaped_user=URI_PARSER.escape(user.strip).downcase

now if they try to authenticate with a space before or after the username it simply fails instead of creating another user for them.

pg.rnealy · March 5, 2018, 4:39pm

I have just installed the latest release of Open Nebula and this is still a bug present in the code. I will implement the same changes as before.

pg.rnealy · October 5, 2018, 12:55pm

Just upgraded to 5.6 last month, and we found that this bug STILL EXISTS in the ldap authenticate file. please fix this, thanks

vholer · October 5, 2018, 2:00pm

Problem is now tracked by issue: https://github.com/OpenNebula/one/issues/2479

Thank you!

Topic		Replies	Views
Allow login to multiple Active Directory groups Community Support	6	1235	April 11, 2017
Not showing the LDAP users Community Support	1	1122	January 18, 2017
LDAP authentication working but with "some weirdness" Community Support	1	506	October 19, 2016
[SOLVED] LDAP Auth. After Login, primary group changes immediately to "user" Community Support	1	482	October 20, 2017
Question about how to disable/enable ONE user accounts Community Support	6	2307	May 26, 2020

Ldap user duplication with case is changed

Related Topics