[pbs-devel] [RFC PATCH proxmox-backup v2 14/15] api: add case-insensitive support for Active Directory realms

Christoph Heiss c.heiss at proxmox.com
Tue Dec 12 13:19:16 CET 2023


Thanks a lot for testing!

On Mon, Nov 27, 2023 at 10:57:03AM +0100, Lukas Wagner wrote:
>
> On 8/16/23 16:47, Christoph Heiss wrote:
> > To properly support case-insensitive comparison of user names,
> > `CachedUserInfo` first needs to gain logic whether to look up the userid
> > in a case-sensitive or -insensitive manner.
> >
> > The API part is pretty straight-forward, adding a new `case-sensitive`
> > parameter to the API (which is on-by-default).
> >
>
> Mhmm, it seems this patch breaks user permissions if logging in as one of
> the case-permutations of the original username.
>
> Assuming you have a user 'test at ad-realm' (mapping to 'test at ad.example.com'
> on the AD server) and
> the 'case-sensitive = false' in the AD realm settings,
> you can login as 'Test at ad-realm' as well as 'test at ad-realm' -
> however, if I give the 'test at ad-realm' user permissions for some resources,
> e.g. a data store, the resource will not be accessible if I log in as
> 'Test at ad-realm'.

The case-insensitive stuff is really a PITA to retrofit properly, so I
kind of expected for something to turn up ..

Anyway, I'll look into it, thanks again!




More information about the pbs-devel mailing list