Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12607

Active directory user names should not be case sensitive.

    Details

    • Similar Issues:

      Description

      Active directory user names should not be case sensitive. For example if I add the user "paul" then I would expect to be able to also login as "Paul", "pAul" or any other case combination.

      At the moment this won't match any user name and fail to login the user in, or worse match none and apply "authenticated user" permissions. This seems to confuse a lot of users.

      If there is a use case where case sensitivity is required then I think there should be a toggle option to enable or disable it.

        Attachments

          Issue Links

            Activity

            paulm Paul M created issue -
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            As of 1.26 I cannot reproduce this. Please report a stack trace.

            (But toward 1.27, I made the change that once logged in the user name gets canonicalized)

            Show
            kohsuke Kohsuke Kawaguchi added a comment - As of 1.26 I cannot reproduce this. Please report a stack trace. (But toward 1.27, I made the change that once logged in the user name gets canonicalized)
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
            http://jenkins-ci.org/commit/active-directory-plugin/8b4c00a79201b605908d5d8983a7c719b0d645ff
            Log:
            JENKINS-12607 canonicalize the name.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java http://jenkins-ci.org/commit/active-directory-plugin/8b4c00a79201b605908d5d8983a7c719b0d645ff Log: JENKINS-12607 canonicalize the name.
            Hide
            dogfood dogfood added a comment -

            Integrated in plugins_active-directory #62
            JENKINS-12607 canonicalize the name. (Revision 8b4c00a79201b605908d5d8983a7c719b0d645ff)

            Result = SUCCESS
            Kohsuke Kawaguchi :
            Files :

            • src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
            Show
            dogfood dogfood added a comment - Integrated in plugins_active-directory #62 JENKINS-12607 canonicalize the name. (Revision 8b4c00a79201b605908d5d8983a7c719b0d645ff) Result = SUCCESS Kohsuke Kawaguchi : Files : src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
            Hide
            halkeye Gavin Mogan added a comment -

            I only just now found out about the bug. I am so happy its now been fixed, its always been a minor annoyance for me.

            Show
            halkeye Gavin Mogan added a comment - I only just now found out about the bug. I am so happy its now been fixed, its always been a minor annoyance for me.
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            Sorry, this isn't fixed yet. It caused a serious regression JENKINS-13650 and needed to be backed out.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - Sorry, this isn't fixed yet. It caused a serious regression JENKINS-13650 and needed to be backed out.
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            The regression was that various code in Jenkins actually persists the user name (such as the matrix security.) So any kind of automatic canonicalization results in name mismatch, resulting in a loss of permissions.

            The proper fix needs to be in the core where SecurityRealm would decide whether the username/groupname is case sensitive.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - The regression was that various code in Jenkins actually persists the user name (such as the matrix security.) So any kind of automatic canonicalization results in name mismatch, resulting in a loss of permissions. The proper fix needs to be in the core where SecurityRealm would decide whether the username/groupname is case sensitive.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
            http://jenkins-ci.org/commit/active-directory-plugin/15a8a87bc333a12ead447425075df3bdafd7625c
            Log:
            [FIXED JENKINS-13650] Revert "JENKINS-12607 canonicalize the name."

            This reverts commit 8b4c00a79201b605908d5d8983a7c719b0d645ff.

            Compare: https://github.com/jenkinsci/active-directory-plugin/compare/e8943e7...15a8a87

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java http://jenkins-ci.org/commit/active-directory-plugin/15a8a87bc333a12ead447425075df3bdafd7625c Log: [FIXED JENKINS-13650] Revert " JENKINS-12607 canonicalize the name." This reverts commit 8b4c00a79201b605908d5d8983a7c719b0d645ff. Compare: https://github.com/jenkinsci/active-directory-plugin/compare/e8943e7...15a8a87
            Hide
            dogfood dogfood added a comment -

            Integrated in plugins_active-directory #63
            [FIXED JENKINS-13650] Revert "JENKINS-12607 canonicalize the name." (Revision 15a8a87bc333a12ead447425075df3bdafd7625c)

            Result = SUCCESS
            Kohsuke Kawaguchi :
            Files :

            • src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
            Show
            dogfood dogfood added a comment - Integrated in plugins_active-directory #63 [FIXED JENKINS-13650] Revert " JENKINS-12607 canonicalize the name." (Revision 15a8a87bc333a12ead447425075df3bdafd7625c) Result = SUCCESS Kohsuke Kawaguchi : Files : src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
            Hide
            hnain Harpreet Nain added a comment -

            We are experiencing the same issue. We have around 100 users and to add each one with different uppercase and lowercase permutations is not very elegant to manage authorization. Is this planned to fixed soon?

            Show
            hnain Harpreet Nain added a comment - We are experiencing the same issue. We have around 100 users and to add each one with different uppercase and lowercase permutations is not very elegant to manage authorization. Is this planned to fixed soon?
            kohsuke Kohsuke Kawaguchi made changes -
            Field Original Value New Value
            Link This issue is related to JENKINS-17674 [ JENKINS-17674 ]
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            This fix depends on JENKINS-17674

            Show
            kohsuke Kohsuke Kawaguchi added a comment - This fix depends on JENKINS-17674
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-19409 [ JENKINS-19409 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-22247 [ JENKINS-22247 ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Fixed in JENKINS-22247 (1.566+)

            Show
            oleg_nenashev Oleg Nenashev added a comment - Fixed in JENKINS-22247 (1.566+)
            Hide
            fm F M added a comment -

            Problem still exists. Very annoying.

            Show
            fm F M added a comment - Problem still exists. Very annoying.
            Hide
            dgrierso David Grierson added a comment -

            Why is Jenkins passing around usernames and not ultimately referencing some sort of internal numeric user ID?

            This seems like a fundamental architectural issue.

            Show
            dgrierso David Grierson added a comment - Why is Jenkins passing around usernames and not ultimately referencing some sort of internal numeric user ID? This seems like a fundamental architectural issue.
            Hide
            oliyavanjb jothibasu Kamaraj added a comment - - edited

            Any Fix is given for this issue ,we are also facing same issue due to Case Sensitive while trying to apply the Access for the jobs via Role Strategy or Matrix Based security.

            Jenkins Version:1.596.2

            Show
            oliyavanjb jothibasu Kamaraj added a comment - - edited Any Fix is given for this issue ,we are also facing same issue due to Case Sensitive while trying to apply the Access for the jobs via Role Strategy or Matrix Based security. Jenkins Version:1.596.2
            Hide
            bargemayur05 Mayur Barge added a comment -

            We are also facing this issue.

            Show
            bargemayur05 Mayur Barge added a comment - We are also facing this issue.
            Hide
            jothibasu jothibasu k added a comment -

            Guys any update on this issue... we facing this issue while trying to integrate with JIRA..Please check

            Show
            jothibasu jothibasu k added a comment - Guys any update on this issue... we facing this issue while trying to integrate with JIRA..Please check
            jothibasu jothibasu k made changes -
            Priority Minor [ 4 ] Blocker [ 1 ]
            Hide
            sysadmin2062364230 System Administrator added a comment -

            I have this issue too. I find that the user needs to log in to Jenkins with the same case as the user I've created in the role manager. In other words, usernames are not case sensitive when they are passed to Active Directory for confirmation but they are case sensitive once they get back to Jenkins and it tries to use them to give you access. I've bodged it so far by creating lower case and Title Case versions of each user but I'd rather it just worked properly.

            Show
            sysadmin2062364230 System Administrator added a comment - I have this issue too. I find that the user needs to log in to Jenkins with the same case as the user I've created in the role manager. In other words, usernames are not case sensitive when they are passed to Active Directory for confirmation but they are case sensitive once they get back to Jenkins and it tries to use them to give you access. I've bodged it so far by creating lower case and Title Case versions of each user but I'd rather it just worked properly.
            Hide
            hieber Thomas Hieber added a comment -

            Same Problem here. The Workaround at the moment: You can enter the user to Jenkins usermanagement with upper or lowercase or any combination of upper and lowercase and it will always be found in Active Directory.
            They will ALWAYS be able to log in and they will always receive the rights given by their groups, but they do only receive individual rights if the name is entered exactly as set in Jenkins user Management.
            So you can tell your users to always use the same combination of upper and lowercase to log in or you can give them rights only based in groups. (which may lead to the need to do administration in LDAP which may or may be not possible for the Jenkins administrators)

            Show
            hieber Thomas Hieber added a comment - Same Problem here. The Workaround at the moment: You can enter the user to Jenkins usermanagement with upper or lowercase or any combination of upper and lowercase and it will always be found in Active Directory. They will ALWAYS be able to log in and they will always receive the rights given by their groups, but they do only receive individual rights if the name is entered exactly as set in Jenkins user Management. So you can tell your users to always use the same combination of upper and lowercase to log in or you can give them rights only based in groups. (which may lead to the need to do administration in LDAP which may or may be not possible for the Jenkins administrators)
            Hide
            mcsf M Chon added a comment -

            Switched to using LDAP a while back. (De-installed the Active Directory plugin).
            Very happy with LDAP.

            Show
            mcsf M Chon added a comment - Switched to using LDAP a while back. (De-installed the Active Directory plugin). Very happy with LDAP.
            Hide
            hieber Thomas Hieber added a comment -

            We had the described ussues with the LDAP plugin, not with the Active Directory plugin - sorry for the confusion.

            Show
            hieber Thomas Hieber added a comment - We had the described ussues with the LDAP plugin, not with the Active Directory plugin - sorry for the confusion.
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 142973 ] JNJira + In-Review [ 175797 ]
            Hide
            jasonschoon Jason Schoon added a comment -

            What would it take to get this under investigation or implemented? This appears to have been an issue for nearly 4 years, and it impacts our organization everytime not just someone new is added, but anytime they forgot to login with the exactly correct case. Not because they get rejected, but because they get in but have the wrong rights. That's a bad combination.

            Show
            jasonschoon Jason Schoon added a comment - What would it take to get this under investigation or implemented? This appears to have been an issue for nearly 4 years, and it impacts our organization everytime not just someone new is added, but anytime they forgot to login with the exactly correct case. Not because they get rejected, but because they get in but have the wrong rights. That's a bad combination.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Jason Schoon Jenkins is an open-source project. If you need this feature, the best way to get progress on it is to propose a pull request to the plugin. Maybe Félix Belzunce Arcos has some plans regarding this change.

            Show
            oleg_nenashev Oleg Nenashev added a comment - Jason Schoon Jenkins is an open-source project. If you need this feature, the best way to get progress on it is to propose a pull request to the plugin. Maybe Félix Belzunce Arcos has some plans regarding this change.

              People

              • Assignee:
                Unassigned
                Reporter:
                paulm Paul M
              • Votes:
                24 Vote for this issue
                Watchers:
                28 Start watching this issue

                Dates

                • Created:
                  Updated: