How to override the default security ACL to make it case-insensitive to the username ?

We have a messy AD where not all email addresses are in lower case. Some are capitalized and some are not. Because of this, a user may login with or . I see in the ACLS table that the permissions are stored both ways, depending on how the user was logged in at the time the documents were created.

So, because of this, sometimes a user doesn't have access to basic functionality like edit it's own profile or access the personal workspace.

0 votes

1 answers



Since Nuxeo 5.4.2, you can force the id case of the directory entries to “lower” or “upper” in the LDAPDirectory configuration with: <idCase>lower</idCase> for instance. The default value for that parameter is “unchanged”.

That should fix your issue without having to mess with the ACL system. Nuxeo principal ids are must be unique, not only for the ACL system but also for looking up documents by creator id for instance.

1 votes

It would be great if it would work like that, but it doesn't. It could be because I am actually using a multiDirectory getting the users from LDAP but enriching their profiles from an SQL directory.

I don't see the issue, if you do the change on the LDAPDirectory configuration, the SQLDirectory will naturally fill in it's entries with lowercase ids only.

If you already have bad production data in the SQLDirectory you will need to write a migration SQL script(s) for your SQLDirectory to merge entries with ids with various cases that were potentially created before using &lt;idCase&gt;lower&lt;/idCase&gt; on the LDAPDirectory.


I've cleared the data folder so I have clean data.

In the SQL directory there are indeed only lower case usernames (emails), but if I try to login with same email in Upper case, the SQL directory doesn't load the record from the table.

I believe that is because the loading from directories is based on the username entered in the login screen.


Alright I think we can say that this qualifies as a bug. Can you please open a jira issue? I think we should make the SQLDirectory and / or MultiDirectory able to handle the idCase param as well to make them behave consistently.

In the mean time you can contribute your own implementation to the UserManagerService by deriving the default implementation and overriding the getPrincipal method to force the lowercase on the id at that level. That should solve your issues.


I already tried that but I have contributed a extension to the UserManager overriding the makePrincipal method, but the id is null at that point. Could you be more specific with what I need to override ?



Indeed overriding makePrincipal is useless since the user entry is already fetched from the user directory when this method is called. Override getPrincipal as I said previously instead

Also I have entered support ticket SUPNXP-4618 for the same.

It worked like this :

public NuxeoPrincipal getPrincipal(String username, DocumentModel context)
        throws ClientException {
    if (username == null) {
        return null;
    return super.getPrincipal(username.toLowerCase(), context);

Looks good.