iris-web icon indicating copy to clipboard operation
iris-web copied to clipboard
verified publisher icon dfir-iris

[FR] Case insensitive login

Open juadde opened this issue 2 years ago • 4 comments

Problem description Login is case sensitive, which can be confusing for users. (ex: administrator is not the same user than Administrator)

Solution I'd like I would like to be able lo login with either

  • username
  • Username
  • USERNAME And in case in case of NTLM domain:
  • domain\username
  • DOMAIN\username
  • DOMAIN\USERNAME
  • etc...

Maybe doing it by lowercasing usernames when saving them in database via lower() and when doing the comparison could work, however I guess the display name in the settings sessions would be in lowercase (I don't see that as an issue...).

Alternatives We could also do everything via upper(). If the functionality is interesting, then we might need to put a configuration variable, but I would be in favor of a "case-insensitive login only" option.

juadde avatar May 24 '23 11:05 juadde

For information in the LDAP RFC in §2.39 we have EQUALITY caseIgnoreMatch that confirms the fact that UIDs should be case insensitive.

I do not know if you want to also follow this rule for local users of IRIS...

If that is not the case it means that this should be taken care of in ldap_handler.py.

juadde avatar May 25 '23 16:05 juadde

Hi @juadde

Indeed, we can - and should - follow the RFC. We'll update the code for both LDAP and local auth.
We just need to figure out a way to handle a migration scenario where there are two different users with upper and lower cap.

Thanks!

whikernel avatar May 27 '23 06:05 whikernel

Hi @whikernel,

I think the migration scenario are quite hard to handle, @c8y3 had an idea where a check tool could be provided:

  • Check if 2 users would have the same result if everything is lower cased or case insensitively compared
  • If not, then migration is possible => should be 90% of the actual implementations anyway
  • If yes then a user should be renamed, maybe by a renaming tool would ease the life of administrators with such use-cases?

I don't see the use-case of having several usernames with only a case difference, IMHO it is almost a sanity check that needs to be performed before upgrading to the next version.

I do not know if it is the right way to proceed, but that may be useful...

juadde avatar Jun 05 '23 15:06 juadde

Hi,

How do you foresee changes that needs to happens for this implementation?

Do you have pointers on the extent of the work to be performed and at which level (LDAP handler, user management, user data saving in database...)?

What would be your implementation choices (everything stored in lower case in database ?, case insensitive comparison so database fields can keep their initial case and would be shown that way in the interface ?).

I'm trying to see how to contribute for this part.

juadde avatar Jun 21 '23 16:06 juadde