Username case sensitivity

[pdepaepe]

Hello,

With ldap support (not tested without), on authentication, varying the case sensitivity of your username will create a new graylog account (and so new permission context).

Example:

jsmith Jsmith JSmith ....

[joschi]

(Semi-) duplicate of Graylog2/graylog2-web-interface#1007. I'm keeping this issue open because the other one is in the wrong repository.

[kroepke]

We will reconsider this for 2.0 because it needs a few incompatible API changes.

We would either need to treat user names as case insensitive in the entire application or map LDAP/AD names to lowercase. In either case we have hit problems in the past which is why we haven't addressed it yet.

[sharique]

Any update of this issue?

[joschi]

@sharique No.

[drewmmiranda]

Any update? :)

[martinbydefault]

Is this planned to be implemented at some future?
I support @kroepke idea about creating a mapping, but maybe another way is to add a boolean field to the UserImpl, named CASE_INSENSITIVE that istrue if case insensitive and false if not, and the getName (https://github.com/Graylog2/graylog2-server/blob/master/graylog2-server/src/main/java/org/graylog2/users/UserImpl.java#L147) method of the user is the one that handles the conversion to lower case (that or storing the name in another field in lower case and just putting an if-else with the condition CASE_INSENSITIVE).
I haven't yet inspected the whole code to see if this alternative breaks less things but I think at least require less changes.
What do you think about this?

[omniton]

any plan about fixing this issue?

[jalogisch]

[z#843562]

[tellistone]

We should super fix this, it's real annoying!

[boosty]

Might be something for 5.0.

[boosty]

I suggest to add a new config option (only for AD/LDAP for now) to lowercase the username on creation and sign in. The change should come with a documentation on how to convert existing usernames in MongoDB to lowercase.

Opinions?

[drewmiranda-gl]

That could work. Is there a practical reason why one would need case sensitivity for usernames? I'm not familiar with open ldap but Active Directory treats usernames as case insensitive so doing a toLower on the username would work. Is the issue that mongo is storing it in a case sensitive way and graylog has to reconcile with mongo?

For usability, i'm a fan of "expected behavior" being the default. In this case, new installs could default to usernames always being lower (or even a cosmetic/display username and the forced lower username).

[jalogisch]

The problem is that login will work with any - at least in the past - but as the account is stored in Mongo the way you type in you are able to create multiple accounts just by changing cases for letters ...

[bernd]

The problem is that login will work with any - at least in the past - but as the account is stored in Mongo the way you type in you are able to create multiple accounts just by changing cases for letters ...

This is not the case anymore. For LDAP/AD Graylog is using the username that is returned from the LDAP/AD server instead of using the value that has been entered by the user in the login form. So whatever format the user is using, we always use the format from the LDAP/AD server. We also don't use the username as the primary key for user accounts from LDAP/AD anymore but use the entryUUID (or equivalent), so even changes in the username don't lead to the creation of a new user account in Graylog.

[bernd]

I suggest to add a new config option (only for AD/LDAP for now) to lowercase the username on creation and sign in. The change should come with a documentation on how to convert existing usernames in MongoDB to lowercase.

Opinions?

@boosty Given the background in https://github.com/Graylog2/graylog2-server/issues/1361#issuecomment-1276459188, what would we gain when we lowercase usernames for LDAP/AD users?

[drewmiranda-gl]

I didn't realize the dup user thing was fixed. Looks like the remaining issue is an Invalid Credentials error even though the username (which should be case insensitive) is correct:

[bernd]

I didn't realize the dup user thing was fixed. Looks like the remaining issue is an Invalid Credentials error even though the username (which should be case insensitive) is correct:

@drewmiranda-gl The user Drew is a user in LDAP/AD or a local Graylog user?

[drewmiranda-gl]

My mistake, that was a local user 🤦‍♂️, LDAP user does appear to work correctly regardless of case.

Local users appear to have an issue with casing.

[boosty]

@boosty Given the background in https://github.com/Graylog2/graylog2-server/issues/1361#issuecomment-1276459188, what would we gain when we lowercase usernames for LDAP/AD users?

@bernd Thanks for the clarification 👍 No need to change anything for LDAP/AD then, as the main issue seems to have been solved, which was the creation of duplicated accounts within Graylog.

I am not sure at this point how important case-insensitivity for local usernames is, but we can keep this open to wait for further feedback.

[bernd]

For reference:

We fixed the creation of duplicate accounts due to the case sensitivity of usernames as part of the new authentication implementation in https://github.com/Graylog2/graylog2-server/pull/9007.

[boosty]

I am closing this for now. Should there be more demand to change the behaviour for local users, we can reopen this issue (or create a new, more specific one).