Item11803:Item11230: added CaseSensitiveLogin feature, defaulting to off

git-svn-id: http://svn.foswiki.org/trunk/LdapContrib@15095 0b4bb1d4-4e5a-0410-9cc4-b2b747904278

data/System/LdapContrib.txt

@@ -2,15 +2,6 @@
 ---+!! %TOPIC%
 %TOC%
 ---++ Introduction
-<table style="float:right">
-<tr>
-  <td><img src="%ATTACHURLPATH%/wikiringlogo40x40.png"></td>
-  <td><a href="http://wikiring.com" title="Make your Wiki ring!" style="text-decoration:none">
-      Powered by <br /> <nop>WikiRing Consultants </a>
-  </td>
-</tr>
-</table>
-
 This package offers basic LDAP services for Foswiki and offers authentication of
 wiki users by binding to an LDAP server as well as incorporate LDAP user
 groups into access control. 
@@ -186,6 +177,14 @@ setting. This will also strip off any '<nop>@...' string from the login as found
 when logging ing using the mail attribute or when using !LdapContrib in combination
 with a kerberos single sign on strategy.
 
+In most scenarios users prefer not to care about case sensitivity of their login names
+for convenience. If however your authentication requires an exact match of the login name
+including case sensitivity, the use
+
+<verbatim>$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 1;</verbatim>
+
+to switch that on.
+
 Similar to the <nop>WikiName of a user, group names can be normalized using
 
 <verbatim>$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 1;</verbatim>
@@ -495,6 +494,7 @@ This work was partly sponsored by
 |  Release: | %$RELEASE% |
 |  Version: | %$VERSION% |
 |  Change History: | <!-- versions below in reverse order -->&nbsp; |
+|  26 Jun 2012: | added =CaseSensitiveLogin= feature, defaulting to =off= |
 |  11 Jan 2012: | fixed using !ListIterators on undefined list values |
 |  20 Dec 2011: | fixes deep recursion when adding !AdminGroup to !AdminGroup; fixed sizelimit not properly being applied to ldap query; disabled expensive debug message |
 |  16 Dec 2010: | implemented new =expand= feature of =GROUPINFO= found in newer foswikis |
@@ -596,6 +596,3 @@ This work was partly sponsored by
 |  28 Apr 2006: | Initial version |
 |  Home: | Foswiki:Extensions/%TOPIC% |
 |  Support: | Foswiki:Support/%TOPIC% |
-
-
-%META:FILEATTACHMENT{name="wikiringlogo40x40.png" attr="h" autoattached="0" comment="" date="1190996093" path="wikiringlogo40x40.png" size="2571" user="ProjectContributor" version="1"}%

lib/Foswiki/Contrib/LdapContrib.pm

@@ -29,7 +29,7 @@ use Foswiki::Plugins ();
 use vars qw($VERSION $RELEASE %sharedLdapContrib);
 
 $VERSION = '$Rev: 4426 (2009-07-03) $';
-$RELEASE = '4.33';
+$RELEASE = '4.40';
 
 =pod
 
@@ -173,6 +173,7 @@ sub new {
 
     normalizeWikiName=>$Foswiki::cfg{Ldap}{NormalizeWikiNames},
     normalizeLoginName=>$Foswiki::cfg{Ldap}{NormalizeLoginNames},
+    caseSensitiveLogin=>$Foswiki::cfg{Ldap}{CaseSensitiveLogin} || 0,
     normalizeGroupName=>$Foswiki::cfg{Ldap}{NormalizeGroupNames},
 
     loginFilter=>$Foswiki::cfg{Ldap}{LoginFilter} || 'objectClass=posixAccount',
@@ -298,9 +299,9 @@ sub getLdapContrib {
 
 =pod
 
----++ connect($login, $passwd) -> $boolean
+---++ connect($dn, $passwd) -> $boolean
 
-Connect to LDAP server. If a $login name and a $passwd is given then a bind is done.
+Connect to LDAP server. If a $dn parameter and a $passwd is given then a bind is done.
 Otherwise the communication is anonymous. You don't have to connect() explicitely
 by calling this method. The methods below will do that automatically when needed.
 
@@ -335,7 +336,8 @@ sub connect {
     $args{"clientcert"} = $this->{tlsClientCert} if $this->{tlsClientCert};
     $args{"clientkey"} = $this->{tlsClientKey} if $this->{tlsClientKey};
     $args{"sslversion"} = $this->{tlsSSLVersion} if $this->{tlsSSLVersion};
-    $this->{ldap}->start_tls(%args);
+    my $msg = $this->{ldap}->start_tls(%args);
+    writeWarning($msg->{errorMessage}) if exists $msg->{errorMessage};
   }
 
   $passwd = $this->toUtf8($passwd) if $passwd;
@@ -476,7 +478,7 @@ sub getCode {
 
 =pod
 
----++ getAccount($login) -> Net::LDAP::Entry object
+---++ getAccount($loginName) -> Net::LDAP::Entry object
 
 Fetches an account entry from the database and returns a Net::LDAP::Entry
 object on success and undef otherwise. Note, the login name is match against
@@ -486,14 +488,17 @@ search using $ldap->{loginFilter} in the subtree defined by $ldap->{userBase}.
 =cut
 
 sub getAccount {
-  my ($this, $login) = @_;
+  my ($this, $loginName) = @_;
 
-  #writeDebug("called getAccount($login)");
-  return undef if $this->{excludeMap}{$login};
+  #writeDebug("called getAccount($loginName)");
+  return undef if $this->{excludeMap}{$loginName};
+
+  # take care of login case
+  $loginName = lc($loginName) unless $this->{caseSensitiveLogin};
 
   my $loginFilter = $this->{loginFilter};
   $loginFilter = "($loginFilter)" unless $loginFilter =~ /^\(.*\)$/;
-  my $filter = '(&'.$loginFilter.'('.$this->{loginAttribute}.'='.$login.'))';
+  my $filter = '(&'.$loginFilter.'('.$this->{loginAttribute}.'='.$loginName.'))';
   my $msg = $this->search(
     filter=>$filter, 
     base=>$this->{userBase}
@@ -1074,6 +1079,7 @@ sub cacheUserFromEntry {
   $loginName = $this->fromUtf8($loginName);
 
   # 2. normalize
+  $loginName = lc($loginName) unless $this->{caseSensitiveLogin};
   $loginName = $this->normalizeLoginName($loginName) if $this->{normalizeLoginName};
   return 0 if $this->{excludeMap}{$loginName};
 
@@ -1184,11 +1190,13 @@ sub cacheUserFromEntry {
 
   if (defined($loginNames->{$loginName})) {
     my $clashDN = $loginNames->{$loginName};
-    if ($clashDN eq '1') {
-      $clashDN = $data->{"U2DN::$loginName"} || '???';
+    if ($clashDN ne $dn) {
+      if ($clashDN eq '1') {
+        $clashDN = $data->{"U2DN::$loginName"} || '???';
+      }
+      writeWarning("$dn clashes with $clashDN on loginName $loginName ... please configure a unique loginName attribute");
+      return 0;
     }
-    writeWarning("$dn clashes with $clashDN on loginName $loginName ... please configure a unique loginName attribute");
-    return 0;
   }
 
   $wikiNames->{$wikiName} = $dn;
@@ -1315,7 +1323,8 @@ sub cacheGroupFromEntry {
     return 0;
   }
 
-  if (defined($data->{"U2W::$groupName"}) || defined($data->{"W2U::$groupName"})) {
+  my $loginName = $this->{caseSensitiveLogin}?$groupName:lc($groupName);
+  if (defined($data->{"U2W::$loginName"}) || defined($data->{"W2U::$groupName"})) {
     my $groupSuffix = '';
     if ($this->{normalizeGroupName}) {
       $groupSuffix = 'Group';
@@ -1352,7 +1361,6 @@ sub cacheGroupFromEntry {
     $this->{_groups}{$groupName}{$innerGroup} = 1; # delay til all groups have been fetched
   }
 
-
   # store it
   writeDebug("adding groupName='$groupName', dn=$dn");
 
@@ -1630,10 +1638,13 @@ sub isGroup {
   #writeDebug("called isGroup($wikiName)");
   $data ||= $this->{data};
 
+
   return undef if $this->{excludeMap}{$wikiName};
   return 1 if defined($data->{"GROUPS::$wikiName"});
   return 0 if defined($data->{"W2U::$wikiName"});
-  return 0 if defined($data->{"U2W::$wikiName"});
+
+  my $loginName = lc($wikiName) unless $this->{caseSensitiveLogin};
+  return 0 if defined($data->{"U2W::$loginName"});
 
   unless ($this->{preCache}) {
     $this->checkCacheForGroupName($wikiName, $data);
@@ -1646,20 +1657,21 @@ sub isGroup {
 
 =pod
 
----++ getEmails($login, $data) -> @emails
+---++ getEmails($loginName, $data) -> @emails
 
 fetch emails from LDAP
 
 =cut
 
 sub getEmails {
-  my ($this, $login, $data) = @_;
+  my ($this, $loginName, $data) = @_;
 
+  $loginName = lc($loginName) unless $this->{caseSensitiveLogin};
   $data ||= $this->{data};
 
-  $this->checkCacheForLoginName($login, $data) unless $this->{preCache};
+  $this->checkCacheForLoginName($loginName, $data) unless $this->{preCache};
 
-  my $emails = Foswiki::Sandbox::untaintUnchecked($data->{ "U2EMAIL::" . $login }) || '';
+  my $emails = Foswiki::Sandbox::untaintUnchecked($data->{ "U2EMAIL::" . $loginName }) || '';
   my @emails = split(/\s*,\s*/, $emails);
   return \@emails;
 }
@@ -1744,6 +1756,7 @@ sub getWikiNameOfLogin {
 
   #writeDebug("called getWikiNameOfLogin($loginName)");
 
+  $loginName = lc($loginName) unless $this->{caseSensitiveLogin};
   $data ||= $this->{data};
 
   unless ($this->{preCache}) {
@@ -1827,6 +1840,7 @@ sub getDnOfLogin {
 
   return unless $loginName;
 
+  $loginName = lc($loginName) unless $this->{caseSensitiveLogin};
   $data ||= $this->{data};
 
   return Foswiki::Sandbox::untaintUnchecked($data->{"U2DN::$loginName"});
@@ -1930,6 +1944,7 @@ sub checkCacheForLoginName {
 
   #writeDebug("called checkCacheForLoginName($loginName)");
 
+  $loginName = lc($loginName) unless $this->{caseSensitiveLogin};
   $data ||= $this->{data};
 
   return 1 if $data->{"U2W::$loginName"};
@@ -2220,9 +2235,9 @@ sub checkCacheForGroupName {
           if (!$this->{preCache} && $member =~ /$this->{groupBase}/i) {
             my $innerGroupName = $member;
             $innerGroupName =~ s/$this->{groupBase}//o;
-            $innerGroupName =~ s/$this->{groupAttribute}=//o;
+            $innerGroupName =~ s/$this->{groupAttribute}=//oi;
             $innerGroupName =~ s/^,+//o;
-            $innerGroupName =~ s/,+$//o;
+            $innerGroupName =~ ($this->{UserScope} eq 'sub' || $this->{GroupAttribute} eq 'sub') ? s/,.*$//o : s/,+$//o;
 
             # Smell: this may not be reliable and may work only with membersindirection. TO CHECK
             if ($innerGroupName ne "" && $this->isGroup($innerGroupName, $data)) {

lib/Foswiki/Contrib/LdapContrib/Config.spec

@@ -127,6 +127,10 @@ $Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
 # Enable/disable normalization of login names
 $Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0;
 
+# **BOOLEAN**
+# Enable/disable case sensitive login names. If disabled case doesn't matter logging in.
+$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
+
 # **STRING**
 # Alias old !WikiNames to new account. This is a comma separated list of
 # "OldName=NewName" values.

lib/Foswiki/Contrib/LdapContrib/MANIFEST

@@ -4,5 +4,4 @@ lib/Foswiki/Contrib/LdapContrib.pm 0644
 lib/Foswiki/LoginManager/LdapApacheLogin.pm 0644
 lib/Foswiki/Users/LdapPasswdUser.pm 0644
 lib/Foswiki/Users/LdapUserMapping.pm 0644
-pub/System/LdapContrib/wikiringlogo40x40.png 0644
 tools/ldaptest 0755