Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disambiguate user by mail #298

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Disambiguate user by mail #298

wants to merge 3 commits into from

Conversation

pisys
Copy link

@pisys pisys commented May 14, 2019

When sending token: If ldap_search returns multiple entries for a given username (ie. $ldap_login_attribute is not unique), then check all users and their mail addresses for verifying user input.

@coudot
Copy link
Member

coudot commented May 14, 2019

I am not surewe should implement this. There should not be duplicate user identifiers in the directory.

@pisys
Copy link
Author

pisys commented May 15, 2019

Since it is allowed to set any $ldap_filter, this feature would be a direct consequence from that, I think. After all, the mail attribute is unique anyways.

Eg. in my case I want to enable users to initiate password reset even if they don't know their exact username (The did not pick the username themselves, instead it was generated automatically from their common name). So my $ldap_filter looks like (cn=*{login}*).

Together with the mail address provided (which is unique) I can verify that user input is correct.

However, I now spotted another problem with resetbytoken.php. There the user is fetched from LDAP by the login value, which is stored in the session and equals to what the user entered in the input form. Here it is not possible to apply the same logic.

So I'd improve this pull request in this way:

  • Store all user data, which was fetched from LDAP in sendtoken.php, in the session.
  • Retrieve user data from session in resetbytoken.php instead of fetching it from LDAP again.
  • Display the value of $ldap_login_attribute in the password change form.

@myrho
Disambiguate user by mail
75fb843 
If ldap_search returns multiple entries for a given username (ie.
$ldap_login_attribute is not unique), then check all users and their
mail addresses for verifying user input.
@myrho
fix indentation
e44fb00
@myrho
Couple of improvements:
5e31942 
* Fix breaking foreach loop over mails
* Store user data in session on sendtoken
* Retrieve user data from session on resetbytoken
* Use `$ldap_login_attribute` to retrieve the username from user data
* `$ldap_filter_reset` for ldap search on sendtoken (allow non-unique
search criteria)
* Add message type for login field on sendtoken
@coudot coudot added this to the Future milestone Aug 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Backlog
Development

Successfully merging this pull request may close these issues.
3 participants
@pisys @coudot @myrho