Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use case-insensitive search for user lookup by external_auth_id #540

Merged
merged 2 commits into from
Sep 25, 2015
Merged

Use case-insensitive search for user lookup by external_auth_id #540

merged 2 commits into from
Sep 25, 2015

Conversation

stevendanna
Copy link
Contributor

Almost all of the typical values of ldap['login_attribute'] are case
insensitive according to the LDAP schema. However, we previously used a
case-sensitive lookup when trying to find an existing user record.

This commit changes the default lookup to be case insensitive but
provides a user-controllable override for the rare case where users are
setting a case-sensitive login_attribute.

Review Notes

If we were doing this from scratch, I think the correct method of linking LDAP accounts to user records would be to store a canonicalized form of the distinguished name as returned by the LDAP server. Unfortunately, we have live installations with existing data.

I've made case-sensitivity a configurable with a default of false. Most fields that people will use for login_attribute are case insensitive; but it is possible that some users want to use a case sensitive field here. Unfortunately, because of the way chef_db/chef_sql/chef_object are tied together, changing queries based on config either requires adding a new field to the record, or querying the config all the way from chef_user. I opted for the latter as that change seemed to have the smaller surface area.

I looked at the prospect of doing something smarter here such as some sort of data migration combined with a canonicalization of what we store here are the problems I kept running into:

  • Data migrations that transform the existing data in the external_authentication_uid column will probably eliminate our ability to use a case-sensitive field for login_attribute.
  • Data migrations that change external_authentication_uid to store something such as Distinguished Name require talking to a 3rd party data service, which seems really brittle for large installations.
  • Querying the LDAP server for the schema of the login_attribute and changing what we do based on that might be possible but it seems that the exact way to do this might differ between LDAP servers and require our bind user to have permissions that we don't currently require.

@stevendanna
Copy link
Contributor Author

cc @jeremiahsnapp @stephenlauck @chef/lob

@marcparadise
Copy link
Member

The migrate-on-login approach - to canonical name - could work if we keep a 'migrated' flag and use that as part of the query, as SELECT ..., migrated FROM users WHERE (migrated = true AND extid=$1) OR (migrated = false and lower($1) = lower(extid)

marcparadise
marcparadise reviewed Sep 23, 2015
View reviewed changes
src/oc_erchef/apps/chef_objects/src/chef_user.erl
fetch(#chef_user{server_api_version = ?API_v0, username = UserName} = Record, CallbackFun) ->
fetch_user(find_user_by_username_v0, Record, UserName, CallbackFun);
fetch(#chef_user{username = UserName} = Record, CallbackFun) ->
fetch_user(find_user_by_username, Record, UserName, CallbackFun).

case_sensitivity() ->
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ldap_case_sensitivity - it's a bit clearer since in context these fetches serve all the different lookup methods.

@marcparadise
Copy link
Member

LGTM 👍 after customer confirmation and the function name change.

@stevendanna
Copy link
Contributor Author

Fixed the function name, thanks for the suggestion. Re the in-place migration. My biggest problem with any migration is just that we don't actually know whether that value should be case insensitive or not without checking the LDAP schema or having the user tell us. If we have the user tell us, I'd rather not do a migration based on that since the user might make a mistake when setting it.

@stevendanna
Use case-insensitive search for user lookup by external_auth_id
331fb26 
Almost all of the typical values of ldap['login_attribute'] are case
insensitive according to the LDAP schema. However, we previously used a
case-sensitive lookup when trying to find an existing user record.

This commit changes the default lookup to be case insensitive but
provides a user-controllable override for the rare case where users are
setting a case-sensitive login_attribute.

ChangeLog-Entry: Fix bug where logins via LDAP failed because of case
sensitivity.
@stevendanna
Rename case_sensitivity to ldap_case_sensitivity for clarity
6116344
@stevendanna stevendanna force-pushed the ssd/ldap-case-sensitive branch from 9159925 to 6116344 Compare September 25, 2015 09:13
stevendanna added a commit that referenced this pull request Sep 25, 2015
@stevendanna
Merge pull request #540 from chef/ssd/ldap-case-sensitive
cd2ec8d 
Use case-insensitive search for user lookup by external_auth_id
@stevendanna stevendanna merged commit cd2ec8d into master Sep 25, 2015
@stevendanna stevendanna deleted the ssd/ldap-case-sensitive branch December 9, 2015 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stevendanna @marcparadise @chef-supermarket