LDAP case sensitivity



  • LDAP DNs and all attributes are case-insensitive by default, looks like pfSense is not honoring that default behavior all the way. If I run the authentication test against our LDAP server, the user SuperAdmin results in successful authentication and member of the admins group, if I then try superadmin, authentication is again successful but it doesn't belong to any groups ...



  • Not sure what your question is. In your example, authentication is not case-sensitive but authorization is. This is because some LDAP implementations are case-sensitive (though they shouldn't be), and it can be a pain when users have caps lock on. Industry best practice is to use all lowercase for user ids in your LDAP schema (and train your users to type all lowercase) to avoid this situation.



  • @msf2000 Hmm, looks like my post wasn't as clear as I thought it was, never mind. The problem is not about user mixing up and lowercase, it's about the LDAP authentication that (seems) not handling casing correctly. Both 'SuperAdmin' and 'superadmin' authenticate correctly when using Diagnostics - Authentican. That diagnostic also returns group membership but only for 'SuperAdmin' and not for 'superadmin'.
    .... but I should have searched a bit more: uid is not case sensitive by default but memberUID is (standard 389-DS schema) - odd but that's the way it is which explains the results I'm getting.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy