Need help to configure LDAP case sensitivity

Chrizneko93 · July 30, 2019, 2:32am

I already installed and configured nextcloud and it ran smoothly.
To integrate with our running systems, we need to match it with our LDAP Server (and so far it is okay), but our LDAP usernames are case sensitive.

The username in LDAP is a special field designed to be case sensitive, for security.

I can login using my user that is all in lowercase (ex: example345), but failed when using my user that have mixed case (ex: ExAmple123).

From the log I noticed that nextcloud made the username at login screen to lowercase (strtolower I guess), therefore the LDAP never find the user.

I just need to disable the lower-casing at login screen, so I can login. Any help will be really appreciated.

Many thanks before

yourcloudasia · July 30, 2019, 3:44am

What LDAP server are you using? Can you provide the output of your log?

As a workaround, you could consider using another attribute to authenticate, such as email address (which is case insensitive).

budy · July 30, 2019, 4:06am

Afaik, LDAP is always case-insensitive, even the RDNs are. Besides that, case-sensittivity doesn’t give you any more security whatsoever. Better to operate in an known environment and to be aware of the dangers, than to lull yourself in a false sense of security.

Chrizneko93 · July 30, 2019, 4:15am

Thanks for the reply

Here is the log when I tried to login using username ‘CDMxy12@test.com’:

[core] Warning: Login failed: ‘CDMxy12@test.com’ (Remote IP: ‘192.168.0.169’)

[user_ldap] Warning: LDAP Login: Could not get user object for DN uniqueidentifier=cdmxy12@test.com,ou=mail,dc=test,dc=com. Maybe the LDAP entry has no set display name attribute?

From the log we can clearly see that my uniqueIdentifier is forced to the lowercase (CDMxy12@test.com --> cdmxy12@test.com), while in my LDAP data, the uniqueIdentifier field is filled with ‘CDMxy12@test.com’ NOT ‘cdmxy12@test.com’.

If I added ‘cdmxy12@test.com’ in my LDAP uniqueidentifier field, of course I will be able to login. But that’s not the solution, since we want the case sensitive username.

I am using openLDAP. I think the problem lies on the nextcloud settings, not the LDAP server because we configured it to be case sensitive (for security). If I tested ‘CDMxy12@test.com’ in settings > LDAP/AD Integration > Login attributes, the result was user found…

Chrizneko93 · July 30, 2019, 4:19am

With a little tweak you can make the field in LDAP to be case sensitive. Back awhile I also configured roundcube to disable the lower-casing username and it worked.

I agree with you regarding the security problem, but well it was an order from the higher-ups

yourcloudasia · August 1, 2019, 2:57am

What username does OpenLDAP say you are authenticating with?

Chrizneko93 · August 1, 2019, 3:35am

Thanks for the replies guys, I managed to find the solution (perhaps)

I found out that the one being lower-cased was my DN.

So instead of dn: uniqueIdentifier=CDMxy12@test.com,ou=mail,dc=test,dc=com, the system sent dn: uniqueIdentifier=cdmxy12@test.com,ou=mail,dc=test,dc=com to LDAP server. Therefore, no user found.

From this I commented the line $dn = mb_strtolower($dn, ‘UTF-8’); in /apps/user_ldap/lib/Helper.php, the one inside function sanitizeDN($dn).

and after that I can login

budy · August 1, 2019, 2:04pm

As I said - not a good and not even a standardized solution, since ldap is lower case by definition. Now, you will have to tweak this file, if a new NC release changes it.

You should probably address this once more with “the board” - suggest to them to stick to RFC standards, instead of rolling their own. In the end standards are there for a reason.

Chrizneko93 · August 2, 2019, 1:36am

I agree, it is really annoying
Will address it on the next meeting, thanks!