Ask Question
« General Questions on Nuxeo

How to override the default security ACL to make it case-insensitive to the username ?

We have a messy AD where not all email addresses are in lower case. Some are capitalized and some are not. Because of this, a user may login with USer@acme.com or user@acme.com . I see in the ACLS table that the permissions are stored both ways, depending on how the user was logged in at the time the documents were created.

So, because of this, sometimes a user doesn't have access to basic functionality like edit it's own profile or access the personal workspace.

fast_narcis
Member (179)   1   2   3 		11/01/2011 ( History)
0 votes
1 answers
2575 views
ANSWER
ANSWERS

Since Nuxeo 5.4.2, you can force the id case of the directory entries to “lower” or “upper” in the LDAPDirectory configuration with: <idCase>lower</idCase> for instance. The default value for that parameter is “unchanged”.

That should fix your issue without having to mess with the ACL system. Nuxeo principal ids are must be unique, not only for the ACL system but also for looking up documents by creator id for instance.

Olivier Grisel
Member (2.1K)   1   4   3 		11/01/2011 ( History)
1 votes
fast_narcis
It would be great if it would work like that, but it doesn't. It could be because I am actually using a multiDirectory getting the users from LDAP but enriching their profiles from an SQL directory.
11/01/2011
Olivier Grisel
I don't see the issue, if you do the change on the LDAPDirectory configuration, the SQLDirectory will naturally fill in it's entries with lowercase ids only.

If you already have bad production data in the SQLDirectory you will need to write a migration SQL script(s) for your SQLDirectory to merge entries with ids with various cases that were potentially created before using &lt;idCase&gt;lower&lt;/idCase&gt; on the LDAPDirectory.

11/01/2011
fast_narcis
I've cleared the data folder so I have clean data.

In the SQL directory there are indeed only lower case usernames (emails), but if I try to login with same email in Upper case, the SQL directory doesn't load the record from the table.

I believe that is because the loading from directories is based on the username entered in the login screen.

11/01/2011
Olivier Grisel
Alright I think we can say that this qualifies as a bug. Can you please open a jira issue? I think we should make the SQLDirectory and / or MultiDirectory able to handle the idCase param as well to make them behave consistently.

In the mean time you can contribute your own implementation to the UserManagerService by deriving the default implementation and overriding the getPrincipal method to force the lowercase on the id at that level. That should solve your issues.

11/01/2011
fast_narcis
I already tried that but I have contributed a extension to the UserManager overriding the makePrincipal method, but the id is null at that point. Could you be more specific with what I need to override ?

Thanks.

11/02/2011
Olivier Grisel
Indeed overriding makePrincipal is useless since the user entry is already fetched from the user directory when this method is called. Override getPrincipal as I said previously instead
11/02/2011
fast_narcis
Also I have entered support ticket SUPNXP-4618 for the same.
11/02/2011
fast_narcis

It worked like this :

@Override
public NuxeoPrincipal getPrincipal(String username, DocumentModel context)
        throws ClientException {
    if (username == null) {
        return null;
    }
    return super.getPrincipal(username.toLowerCase(), context);
}
11/02/2011
Olivier Grisel
Looks good.
11/02/2011
Follow
Tags
Linked Questions
Related Questions
PCLM Share Action
Is it possible to know if a particular permission is grant anywhere in Nuxeo?
Bug - possible fix!: error removing access rights
Remove Permission Automation Example
Question about the publication and rights
ACL performance
Functional permissions in nuxeo
How can i create a group of permission?
Get all accesssible document of a user while being authenticated as Administrator PYTHON API