Item5603: LdapContrib doesn't handle correctly mixed case usernames

When TWiki access control is handled by LDAPContrib and access to a web is allowed based on the LDAP directory group membership and when username has mixed case characters, for example sAMAccountName=Anut, then the access control fails and user is denied access to the web, even though the user is member of the appropriate LDAP group.

It seems that LdapContrib lowercases usernames and when its building the LDAP group cache, the lowercase version of the username is not found or is recorded incorrectly in the cache.

Workaround is to comment out one line in the LdapContrib.pm file, in the cacheUserFromEntry() function code:

  my $loginName = $entry->get_value($this->{loginAttribute});
  unless ($loginName) {
    $this->writeDebug("no loginName for $dn ... skipping");
    return 0;
  }
  
  #$loginName = lc($loginName);
  $loginName = from_utf8(-string=>$loginName, -charset=>$TWiki::cfg{Site}{CharSet})
    unless $TWiki::cfg{Site}{CharSet} =~ /^utf-?8$/i;

Possibly related to Item5381 and Item5603

-- TWiki:Main.AivoJurgenson - 06 May 2008

There are actually quite many such lowercase conversions. It seems that commenting them out will help with other cases as well.

# fgrep -n "lc(" LdapContrib.pm
393:  # $login = lc($login);
816:  #$loginName = lc($loginName);
1074:  #my $emails = TWiki::Sandbox::untaintUnchecked($this->{data}{"U2EMAILS::".lc($login)}) || '';
1108:  # $loginName = lc($loginName);
1168:  #$loginName = lc($loginName);

and

# fgrep -n "lc(" LdapUserMapping.pm
257:  # my $name = lc($thisName);

-- TWiki:Main.AivoJurgenson - 28 May 2008

Already reported as Item5381.

-- MichaelDaum - 04 Nov 2010