Re: [gitorious] LDAP authentication with short user names
Hi, I have the same problem as Peter, I currently have several LDAP uid with 2 characters. So, I would like to know if there is still this three-characters limit into Gitorious. If not, is there a config parameter somewhere to adjust this limit ? Cheers, Thomas. Thomas Chemineau 2012/9/25 Marius Mårnes Mathiesen marius.mathie...@gmail.com On Mon, Sep 24, 2012 at 2:47 PM, Ken Dreyer ktdre...@ktdreyer.com wrote: On Mon, Sep 24, 2012 at 3:37 AM, Marius Mårnes Mathiesen marius.mathie...@gmail.com wrote: Although I wasn't around at the time, I would think it either had to do with a higher probabilty for uniqueness with a three char username or the risk of brute force attacks on shorter usernames? Thank you. Do you think this is still valid? In other words, would you take a patch that drops the username limit from 3 to 2? To address any brute-force concerns, maybe the password minimum character limit should be increased. I agree, I'm quite sure such a patch would be accepted :-) On Mon, Sep 24, 2012 at 5:30 AM, Peter Kjellerstedt peter.kjellerst...@axis.com wrote: You might want to consider making this configurable, given that you cannot influence what user names are already in use Gitorious has so many configuration options already, so perhaps we should just change the limit from 3 to 2 and reduce the number of code paths to test? Agreed. On Mon, Sep 24, 2012 at 5:41 AM, Marius Mårnes Mathiesen marius.mathie...@gmail.com wrote: Side note: we're going to have to make some changes to how usernames are validated when using an external authentication provider (like LDAP) anyway. We currently substitute any dots in usernames with a dash, but the problem here is that this is a lossy process. We have seen LDAP directories which use both dashes and dots. One thing to do could be to be more liberal when using external authentication systems; do any of you have any thoughts on this - eg. what kind of real-world use cases we will need in this regard? Good question. I support Gitorious for a multi-realm Active Directory environment. Currently Gitorious' Kerberos+LDAP authentication is only enabled for one of the domains, but down the road I want to open it up to support users from multiple domains. This will entail supporting Gitorious usernames with @ signs. I've been meaning to look into what exactly is blocking @ signs in Gitorious - I wasn't sure if the restriction is related to Rails or not. Thanks for the input. The only restriction I still remember the motivation for wrt usernames is the dot: Rails treats dots anywhere in a URL specially, I think because of the convention of using it to specify a format. If you'd care experimenting with allowing and using @'s in usernames I'd love to hear how this works for you. Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com -- -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com --- You received this message because you are subscribed to the Google Groups Gitorious group. To unsubscribe from this group and stop receiving emails from it, send an email to gitorious+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [gitorious] LDAP authentication with short user names
On Mon, Sep 24, 2012 at 2:47 PM, Ken Dreyer ktdre...@ktdreyer.com wrote: On Mon, Sep 24, 2012 at 3:37 AM, Marius Mårnes Mathiesen marius.mathie...@gmail.com wrote: Although I wasn't around at the time, I would think it either had to do with a higher probabilty for uniqueness with a three char username or the risk of brute force attacks on shorter usernames? Thank you. Do you think this is still valid? In other words, would you take a patch that drops the username limit from 3 to 2? To address any brute-force concerns, maybe the password minimum character limit should be increased. I agree, I'm quite sure such a patch would be accepted :-) On Mon, Sep 24, 2012 at 5:30 AM, Peter Kjellerstedt peter.kjellerst...@axis.com wrote: You might want to consider making this configurable, given that you cannot influence what user names are already in use Gitorious has so many configuration options already, so perhaps we should just change the limit from 3 to 2 and reduce the number of code paths to test? Agreed. On Mon, Sep 24, 2012 at 5:41 AM, Marius Mårnes Mathiesen marius.mathie...@gmail.com wrote: Side note: we're going to have to make some changes to how usernames are validated when using an external authentication provider (like LDAP) anyway. We currently substitute any dots in usernames with a dash, but the problem here is that this is a lossy process. We have seen LDAP directories which use both dashes and dots. One thing to do could be to be more liberal when using external authentication systems; do any of you have any thoughts on this - eg. what kind of real-world use cases we will need in this regard? Good question. I support Gitorious for a multi-realm Active Directory environment. Currently Gitorious' Kerberos+LDAP authentication is only enabled for one of the domains, but down the road I want to open it up to support users from multiple domains. This will entail supporting Gitorious usernames with @ signs. I've been meaning to look into what exactly is blocking @ signs in Gitorious - I wasn't sure if the restriction is related to Rails or not. Thanks for the input. The only restriction I still remember the motivation for wrt usernames is the dot: Rails treats dots anywhere in a URL specially, I think because of the convention of using it to specify a format. If you'd care experimenting with allowing and using @'s in usernames I'd love to hear how this works for you. Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] LDAP authentication with short user names
On Fri, Sep 21, 2012 at 6:42 PM, Ken Dreyer ktdre...@ktdreyer.com wrote: On Fri, Sep 21, 2012 at 6:52 AM, Peter Kjellerstedt peter.kjellerst...@axis.com wrote: Couldn’t you just change the validation in app/models/user.rb that validates the length of the login to be between 3 and 40 characters to allow 2 to 40 instead? That is what we have done here… My concern with this approach is that it will be overwritten in future Gitorious version upgrades. That said, usernames of two characters do not seem unreasonable in general. Gitorious devs, any reason for choosing a three-character limit instead of two? Although I wasn't around at the time, I would think it either had to do with a higher probabilty for uniqueness with a three char username or the risk of brute force attacks on shorter usernames? - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] LDAP authentication with short user names
On Mon, Sep 24, 2012 at 1:30 PM, Peter Kjellerstedt peter.kjellerst...@axis.com wrote: You might want to consider making this configurable, given that you cannot influence what user names are already in use in, e.g., an existing LDAP directory. E.g., I seriously doubt that our user who has a two letter user name would consider changing it because of Gitorious given that he has had it for almost 30 years… Changing Gitorious was a lot easier. ;) :-) Side note: we're going to have to make some changes to how usernames are validated when using an external authentication provider (like LDAP) anyway. We currently substitute any dots in usernames with a dash, but the problem here is that this is a lossy process. We have seen LDAP directories which use both dashes and dots. One thing to do could be to be more liberal when using external authentication systems; do any of you have any thoughts on this - eg. what kind of real-world use cases we will need in this regard? Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
RE: [gitorious] LDAP authentication with short user names
Couldn't you just change the validation in app/models/user.rb that validates the length of the login to be between 3 and 40 characters to allow 2 to 40 instead? That is what we have done here... //Peter From: gitorious@googlegroups.com [mailto:gitorious@googlegroups.com] On Behalf Of Marius Mårnes Mathiesen Sent: den 19 september 2012 10:31 To: gitorious@googlegroups.com Subject: Re: [gitorious] LDAP authentication with short user names On Mon, Sep 17, 2012 at 9:16 AM, Andreas Fischer make.fisc...@googlemail.commailto:make.fisc...@googlemail.com wrote: Hi all, we finally have successfully setup a gitorious server with LDAP integration. It all works well if the user name is longer than 2 characters. Unfortunately most of our LDAP login names are the initials of the users with only 2 characters (like 'af'). Is there a way to enable short user names in gitorious? Andreas, Would it be possible to use another LDAP attribute which resolves to the username? If not, the best thing to do would be to have conditional validation rules for the username and allow the configuration of this requirement in a configuration file, or to add a custom initializer which overrides the validations for the username. Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.commailto:gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.commailto:gitorious+unsubscr...@googlegroups.com -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] LDAP authentication with short user names
On Fri, Sep 21, 2012 at 6:52 AM, Peter Kjellerstedt peter.kjellerst...@axis.com wrote: Couldn’t you just change the validation in app/models/user.rb that validates the length of the login to be between 3 and 40 characters to allow 2 to 40 instead? That is what we have done here… My concern with this approach is that it will be overwritten in future Gitorious version upgrades. That said, usernames of two characters do not seem unreasonable in general. Gitorious devs, any reason for choosing a three-character limit instead of two? - Ken -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
[gitorious] LDAP authentication with short user names
Hi all, we finally have successfully setup a gitorious server with LDAP integration. It all works well if the user name is longer than 2 characters. Unfortunately most of our LDAP login names are the initials of the users with only 2 characters (like 'af'). Is there a way to enable short user names in gitorious? Thanks in advance Andi -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com
Re: [gitorious] LDAP authentication with short user names
On Mon, Sep 17, 2012 at 9:16 AM, Andreas Fischer make.fisc...@googlemail.com wrote: Hi all, we finally have successfully setup a gitorious server with LDAP integration. It all works well if the user name is longer than 2 characters. Unfortunately most of our LDAP login names are the initials of the users with only 2 characters (like 'af'). Is there a way to enable short user names in gitorious? Andreas, Would it be possible to use another LDAP attribute which resolves to the username? If not, the best thing to do would be to have conditional validation rules for the username and allow the configuration of this requirement in a configuration file, or to add a custom initializer which overrides the validations for the username. Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com