LDAP *: Case Sensitivity Issues [#1272190]

Issues related to case sensitivity and character escaping come up frequently in ldap_* modules. The following are some general rules to keep behavior consistent in the code:

To codify how escaping and case sensitivity is dealt with, a function ldap_server_massage_text() was created to promote consistent case and escaping. Generally any ldap attribute names and values should be passed through this function.
Any configuration user interfaces should explain if text is case sensitive or not and should clarify that text should not be escaped.

Simpletests for case sensitivity and escaping are difficult since the mock server doesn't replicate ldap server environments.

Comment	File	Size	Author
#17	LDAP Case sensitive issue.png	22.48 KB	selva8187
#10	1272190.patch	2.77 KB	johnbarclay
#10
	drupal2.jpg	29.44 KB	jrm402
	drupal1.jpg	30.9 KB	jrm402
	drupal4.jpg	90.11 KB	jrm402
	drupal3.jpg	360.77 KB	jrm402

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

johnbarclay CreditAttribution: johnbarclay commented 7 October 2011 at 13:32

Version:	7.x-1.0-beta4	» 7.x-1.x-dev
Category:	bug	» support

There is no automated upgrade from ldap integration 6 and ldap 7.

As far as roles go, try the current dev version.

Comment #2

jrm402 CreditAttribution: jrm402 commented 16 November 2011 at 23:33

Will do. I'll try the latest dev release and now I see the beta5 is out - will try that as well.

As far as the upgrade from 6.x to 7, I had reentered all my server details after the upgrade. I had totally uninstalled the latest ladp_integration 6.x version and installed the LDAP Project beta4.

I'll keep you posted on my status. Thanks for your hard work and an awesome module.

Comment #3

johnbarclay CreditAttribution: johnbarclay commented 17 November 2011 at 02:54

Thanks. If you are up for it, a page on upgrading from 6 to 7 would be good in the documentation at: http://drupal.org/node/997082

Comment #4

jrm402 CreditAttribution: jrm402 commented 13 December 2011 at 00:54

That is a good idea. I'll try to squeeze in some time and get at least a basic upgrade doc together.

On a side note, one thing we utilized in the older 6.x versions of the LDAP module is the ability to pull roles from Active Directory into Drupal and then map select roles. This was useful for giving the Webmaster and IT Department an admin role in our websites. We have upwards of 50 roles in our organization (we need each users' roles to be pulled from AD for access capabilities) and it was time consuming to make a key|value pair for each role to be assigned to itself because IT and Webmaster needed admin rights (without forcibly applying them in Drupal. I wanted every new IT user to be granted the admin rights automatically).

I went ahead and applied this change in the ldap_authorization.inc, specifically the _ldap_authorizations_user_authorizations() function. I'd be more than happy to contribute the code to you, it is just a simple foreach loop. If you go forward with this, you may want to add a checkbox or, at minimum, a note of what would happen when the user adds role filters without checking the 'Use LDAP group to drupal roles filtering'.

Comment #5

johnbarclay CreditAttribution: johnbarclay commented 13 December 2011 at 05:37

Category:

support

» feature

I don't understand your comment #4. Maybe the code would illustrate it better. I'm changing this to a feature request also.

Comment #6

jrm402 CreditAttribution: jrm402 commented 13 December 2011 at 16:44

I'll post the code and explain a little better what I did.

At line 189 in the ldap_authorization.inc file:

    $filtered_ldap_authorizations = array();
    if ($consumer->consumerConf->useMappingsAsFilter) {
      foreach ($consumer->consumerConf->mappings as $mapping_filter) {
        $map_from = $mapping_filter[0];
        $map_to = $mapping_filter[1];
        if (isset($proposed_ldap_authorizations[$map_from]) || isset($proposed_ldap_authorizations[strtolower($map_from)])) {
          $filtered_ldap_authorizations[] = $map_to;
        }
      }
    }
    else {
      $filtered_ldap_authorizations = array_keys($proposed_ldap_authorizations);
    }

I changed the else statement to:

    else {
      $filtered_ldap_authorizations = array_keys($proposed_ldap_authorizations);
      if (is_array($consumer->consumerConf->mappings) && is_array($filtered_ldap_authorizations)) {
        foreach ($consumer->consumerConf->mappings as $mapping_filter) {
          $map_from = $mapping_filter[0];
          $map_to = $mapping_filter[1];

          $map_from_key = array_search($map_from, $filtered_ldap_authorizations);
          if ($map_from_key !== FALSE) {
            $filtered_ldap_authorizations[$map_from_key] = $map_to;
          }
        }
      }
    }

As an example, with the original module, my roles pulled by ldap after logging into our support website are:

employees
forums
web development
webmaster

Instead of giving the webmaster role admin capabilities, I had created an admin role. After I made the change to the module, the roles I receive are:

employees
forum
web development
admin

I still receive the roles provided by LDAP and additionally, certain roles were mapped to the admin role. Kind of a best of both world situation.

I have the following in my mapping textarea:

webmaster|admin
information technology|admin

Let me also state, in this example I used LDAP 7.x-1.0-beta5. I'm sure the code will migrate easily to the latest dev release if you choose to implement.

Comment #7

johnbarclay CreditAttribution: johnbarclay commented 13 December 2011 at 18:09

I get it. Very handy. I'll commit this when I get a chance.

Comment #8

johnbarclay CreditAttribution: johnbarclay commented 2 April 2012 at 04:34

Assigned:	Unassigned	» johnbarclay
Category:	feature	» bug
Status:	Active	» Needs review

I committed this. The only change I made was. Since its the way its supposed to behave there was no need to change the user interface.

$filtered_ldap_authorizations[$map_from_key] = $map_to;

$filtered_ldap_authorizations[] = $map_to;

Comment #9

jrm402 CreditAttribution: jrm402 commented 10 May 2012 at 15:30

Hello,

I've tested the current 7.x-1.x-dev with the modification you committed and it worked great with one small modification. In the foreach loop, line 224 of 7.x-1.0-beta9+35-dev:

foreach ($consumer->consumerConf->mappings as $mapping_filter) { }

We need to apply drupal_strtolower() to the $mapping_filter array too. If I typed the mapped keys with uppercase characters, they do not relate properly.

I added the array_walk() call inside the foreach. Here's what I have:

        foreach ($consumer->consumerConf->mappings as $mapping_filter) {
          array_walk($mapping_filter,'drupal_strtolower');
          $map_from = $mapping_filter[0];
          $map_to = $mapping_filter[1];
          $map_from_key = array_search($map_from, $filtered_ldap_authorizations);
          if ($map_from_key !== FALSE) {
            $filtered_ldap_authorizations[] = $map_to;
          }
        }

Thanks for the hard work. This module is great.

Comment #10

johnbarclay CreditAttribution: johnbarclay commented 10 May 2012 at 16:32

File	Size
1272190.patch	2.77 KB

Thanks. The $map_to is case sensitive as far as I can see, but the map_from isn't; depends on the consumer type. This will always be a problem and I think we need to do as you suggest and just make it case insensitive; even in the user interface. This will avoid future pain. Thus, I think $consumer->consumerConf->mappings should just flat out be lowercase.

Attached is a patch. Its against the 2.0 branch but should be easy to apply against 1.0. It basically does the same thing as yours, but at a higher level. Can you give it a try? I'll move it into the 1.0 dev branch and make sure the simpletests work.

the gist of the patch is a few cases like:

-    $this->mappings = $this->pipeListToArray($values->mappings);
+    $this->mappings = $this->pipeListToArray($values->mappings, TRUE);

and an optional parameter to the pipe list function.

-  protected function pipeListToArray($mapping_list_txt) {
+  protected function pipeListToArray($mapping_list_txt, $make_lowercase = FALSE) {
     $result_array = array();
     $mappings = preg_split('/[\n\r]+/', $mapping_list_txt);
     foreach ($mappings as $line) {
+      if ($make_lowercase) {
+        $line = drupal_strtolower($line);
+      }

Comment #11

johnbarclay CreditAttribution: johnbarclay commented 10 May 2012 at 16:46

Title:

Authorization: LDAP to Drupal Role Mapping Not Working

» LDAP Authorization: Case Sensitivity Issues

Looks like both are needed since you are dealing with the "unfiltered" case.

I committed your patch in #9 with slight change (below), but will keep this thread open for my change in comment 10.

       $filtered_ldap_authorizations = array_keys($proposed_ldap_authorizations);
       if (is_array($consumer->consumerConf->mappings) && is_array($filtered_ldap_authorizations)) {
         foreach ($consumer->consumerConf->mappings as $mapping_filter) {
-          $map_from = $mapping_filter[0];
-          $map_to = $mapping_filter[1];
+          $map_from = drupal_strtolower($mapping_filter[0]);
+          $map_to = drupal_strtolower($mapping_filter[1]);
           $map_from_key = array_search($map_from, $filtered_ldap_authorizations);
           if ($map_from_key !== FALSE) {
             $filtered_ldap_authorizations[] = $map_to;

Comment #12

jrm402 CreditAttribution: jrm402 commented 10 May 2012 at 17:06

Yes that sounds good. I think case-insensitive would be the better approach here. You'll see a lot less support tickets I presume.
The fix that will be applied by the patch in comment 10 will solve the need for the strtolower call later, correct?

Comment #13

johnbarclay CreditAttribution: johnbarclay commented 13 May 2012 at 15:29

Title:	LDAP Authorization: Case Sensitivity Issues	» LDAP *: Case Sensitivity Issues
Category:	bug	» task
Status:	Needs review	» Needs work

This issue is a good one, but before the next release candidate, case sensitivity and character escaping need to be looked at across all the ldap modules and documented. The esaping of \ and other characters should be fixed in the same pass. The testing of this needs to be outside of the simpletests as they use a fake ldap server.

Comment #14

johnbarclay CreditAttribution: johnbarclay commented 2 November 2012 at 05:08

Version:

7.x-1.x-dev

» 7.x-2.x-dev

I changed the storage of ldap authorizations in the ldap authorization model to store both the lowercase and mixed case versions of authorization ids. This should deal with case sensitivity in ldap authorization.

Comment #15

johnbarclay CreditAttribution: johnbarclay commented 3 November 2012 at 02:00

Status:

Needs work

» Closed (works as designed)

additional case sensitivity issues should be treated as bugs.

Comment #15.0

johnbarclay CreditAttribution: johnbarclay commented 3 November 2012 at 02:00

Issue summary:

View changes

summarized as general case sensitivity thread

Comment #16

selva8187 CreditAttribution: selva8187 as a volunteer and commented 13 November 2019 at 06:14

Issue summary:

View changes

Comment #17

selva8187 CreditAttribution: selva8187 as a volunteer and commented 13 November 2019 at 06:21

File	Size
LDAP Case sensitive issue.png	22.48 KB

HI johnbarclay,

We are using latest LDAP 7.x-2.5 version for PHP 7.2 compatibility, But we are facing user login issue(This page isn’t working - redirected you too many times).

Issue we found username case different from Active Directory and Drupal DB. Like in Active Directory username in Uppercase and Drupal DB same username in Lowercase and vice versa.

We want to remove case sensitive validation like case insensitive.

Kindly help us to correct this changes in Latest version

Thank you