When TWiki access control is handled by LDAPContrib and access to a web is allowed based on the LDAP directory group membership and when username has mixed case characters, for example sAMAccountName=Anut, then the access control fails and user is denied access to the web, even though the user is member of the appropriate LDAP group.
It seems that
LdapContrib lowercases usernames and when its building the LDAP group cache, the lowercase version of the username is not found or is recorded incorrectly in the cache.
Workaround is to comment out one line in the
LdapContrib.pm file, in the cacheUserFromEntry() function code:
my $loginName = $entry->get_value($this->{loginAttribute});
unless ($loginName) {
$this->writeDebug("no loginName for $dn ... skipping");
return 0;
}
#$loginName = lc($loginName);
$loginName = from_utf8(-string=>$loginName, -charset=>$TWiki::cfg{Site}{CharSet})
unless $TWiki::cfg{Site}{CharSet} =~ /^utf-?8$/i;
Possibly related to
Item5381 and
Item5603
--
TWiki:Main.AivoJurgenson - 06 May 2008
There are actually quite many such lowercase conversions. It seems that commenting them out will help with other cases as well.
# fgrep -n "lc(" LdapContrib.pm
393: # $login = lc($login);
816: #$loginName = lc($loginName);
1074: #my $emails = TWiki::Sandbox::untaintUnchecked($this->{data}{"U2EMAILS::".lc($login)}) || '';
1108: # $loginName = lc($loginName);
1168: #$loginName = lc($loginName);
and
# fgrep -n "lc(" LdapUserMapping.pm
257: # my $name = lc($thisName);
--
TWiki:Main.AivoJurgenson - 28 May 2008