Bug 46646 - check group membership is sometimes case sensitive
Summary: check group membership is sometimes case sensitive
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_auth_ldap (show other bugs)
Version: 2.2.14
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2009-02-01 10:54 UTC by Sven Strickroth
Modified: 2013-05-01 18:02 UTC (History)
0 users

use the username gathered from AuthLDAPRemoteUserAttribute (601 bytes, patch)
2009-02-06 08:25 UTC, Sven Strickroth
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Strickroth 2009-02-01 10:54:10 UTC
It would be nice to have an option which allowes to lowercase the username before sending to the ldap server.
Comment 1 Eric Covener 2009-02-01 14:09:26 UTC
Does this mean samAccountName on MSAD is case-sensitive? I couldn't figure out the doc and my test system is kaput.  Or are you hitting some other specifically case-sensitive attribute in your DN lookup?
Comment 2 Eric Covener 2009-02-02 12:23:33 UTC
searches for samAccountName=foo appear to be case insensitive OOTB.
Comment 3 Sven Strickroth 2009-02-03 10:45:03 UTC
I'm using
"AuthLDAPRemoteUserAttribute uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN Off
AuthBasicProvider ldap

require ldap-group cn=Domain Admins,ou=Group, dc=DOMAIN,dc=de"

and memberUid doesn't seem to be case insensitive (memberUid is from posixGroup, which is also used by samba domain groups).

If I try "require valid-user" it seems to be case insensitive.

But REQUEST_USER environ variable seems to be lowercased everytime (that's good for statistics).
Comment 4 Eric Covener 2009-02-03 11:34:16 UTC
I see, "AuthLDAPGroupAttributeIsDN on" and pointing to a case-sentitive attribute for the group check is the part where it breaks down.
Comment 5 Sven Strickroth 2009-02-06 08:04:45 UTC
instead of lowercasing the usernames it should be better to use the "AuthLDAPRemoteUserAttribute" for group member comparison too...
Comment 6 Sven Strickroth 2009-02-06 08:25:45 UTC
Created attachment 23238 [details]
use the username gathered from AuthLDAPRemoteUserAttribute

this patch seems to fix this issue
Comment 7 William A. Rowe Jr. 2010-02-24 18:41:42 UTC
Comment on attachment 23238 [details]
use the username gathered from AuthLDAPRemoteUserAttribute

+1 - the patch looks rational.
Comment 8 Sven Strickroth 2013-05-01 18:02:09 UTC
This patch also helps to canocialize usernames (e.g. if a DN is found by an alias or multiple uid/cn entries).