Issue Type: Bug Created: 2009-02-17T12:24:07.000+0000 Last Updated: 2009-07-20T11:39:12.000+0000 Status: Resolved Fix version(s): - 1.9.0 (31/Jul/09)
Reporter: Seth P (spurcell) Assignee: Stefan Gehrig (sgehrig) Tags: - Zend_Auth_Adapter_Ldap
Related issues: Attachments:
We were looking into authenticating our webapp users based on their email addresses via LDAP, but if you pass an arbitrary email address to a Zend_Auth_Adapter_Ldap:
If you try to force accountCanonicalForm = 4 to include the domain without specifying an accountDomainName, it throws an exception.
To verify the behavior we were seeing, we tried using cn instead of mail as the RDN by setting cn= the email address minus its "@", and set the filter to "(&(objectClass=inetOrgPerson)(cn=%s))". This authenticated successfully.
Posted by Michael B Allen (miallen) on 2009-02-17T13:16:50.000+0000
An email address is not a qualified account name. It is just an email address. What you want is basically ACCTNAME_FORM_EMAIL = 5 with corresponding logic to canonicalize the account name to the mail attribute. Which is to say Zend_Auth_Adapter_Ldap simply does not implement this.
Note that I think this would require querying the LDAP server which would slow things down a little.
I agree this should be implemented but I will not be active on this project for the foreseeable future.
You could extend Zend_Ldap to add the desired behavior (and then you would have to also extend Zend_Auth_Adapter_Ldap so that it used your extended Zend_Ldap).
Finally, this should really be assigned to Zend_Ldap and not Zend_Auth_Adapter_Ldap as Zend_Ldap is where the actual name canonicalization occurs.
Posted by Stefan Gehrig (sgehrig) on 2009-02-17T23:52:53.000+0000
The new extended Zend_Ldap component that currently is in the Standard Incubator takes care of this issue as it provides a 'tryUsernameSplit' option that, when set to false, will skip the splitting operation you described in case (2) and will allow to pass the full email address to the LDAP server. (I admit that the option name is not quite perfect yet...)
Perhaps you can try the new component or extract the relevant code to extend Zend_Ldap yourself as Michael pointed out.
Posted by Stefan Gehrig (sgehrig) on 2009-07-20T11:39:11.000+0000
fixed in trunk for next minor-release 1.9. Behaviour is controlled by the option key tryUsernameSplit,
Have you found an issue?
See the Overview section for more details.