LDAPUserFolder authenticates against wrong attribute
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Products.LDAPUserFolder |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
The product uses the attribute from 'Login Name Attribute' (_login_attr from the LDAPUserFolder object) to check authentication requests, rather than 'User ID Attribute' (_uid_attr) as one could possibly expect.
Within Plone, the distinction between these two attributes is evident: the Canonical Name or 'Login Name' is typically mapped to a user's actual Full Name, whilst the User ID is self explanatory.
This seems to be a bug to me, as it is an incorrect mapping.
To fix this problem, edit Line 774 of Products.
This causes LDAPUserFolder to start comparing the username entered with the user ID attribute rather than the user's CN.
The login attribute is *exactly* the right attribute to use, why else do you think it is even there? Its meaning, as the name clearly suggest, is "this is the attribute to compare user logins against".