-
Bug
-
Resolution: Unresolved
-
Blocker
-
None
-
Windows Server 2008.
Active directory user names should not be case sensitive. For example if I add the user "paul" then I would expect to be able to also login as "Paul", "pAul" or any other case combination.
At the moment this won't match any user name and fail to login the user in, or worse match none and apply "authenticated user" permissions. This seems to confuse a lot of users.
If there is a use case where case sensitivity is required then I think there should be a toggle option to enable or disable it.
- is related to
-
JENKINS-22247 Provide an extension point to define user id case sensitivity contract
-
- Resolved
-
-
JENKINS-19409 Support case-insensitive mode for user IDs
-
- Resolved
-
-
-
- Resolved
-
[JENKINS-12607] Active directory user names should not be case sensitive.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
http://jenkins-ci.org/commit/active-directory-plugin/8b4c00a79201b605908d5d8983a7c719b0d645ff
Log:
JENKINS-12607 canonicalize the name.
Integrated in 
plugins_active-directory #62
JENKINS-12607 canonicalize the name. (Revision 8b4c00a79201b605908d5d8983a7c719b0d645ff)
Result = SUCCESS
Kohsuke Kawaguchi :
Files :
- src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
I only just now found out about the bug. I am so happy its now been fixed, its always been a minor annoyance for me.
Sorry, this isn't fixed yet. It caused a serious regression JENKINS-13650 and needed to be backed out.
The regression was that various code in Jenkins actually persists the user name (such as the matrix security.) So any kind of automatic canonicalization results in name mismatch, resulting in a loss of permissions.
The proper fix needs to be in the core where SecurityRealm would decide whether the username/groupname is case sensitive.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
http://jenkins-ci.org/commit/active-directory-plugin/15a8a87bc333a12ead447425075df3bdafd7625c
Log:
[FIXED JENKINS-13650] Revert "JENKINS-12607 canonicalize the name."
This reverts commit 8b4c00a79201b605908d5d8983a7c719b0d645ff.
Compare: https://github.com/jenkinsci/active-directory-plugin/compare/e8943e7...15a8a87
Integrated in plugins_active-directory #63
[FIXED JENKINS-13650] Revert "JENKINS-12607 canonicalize the name." (Revision 15a8a87bc333a12ead447425075df3bdafd7625c)
Result = SUCCESS
Kohsuke Kawaguchi :
Files :
- src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
Harpreet Nain
added a comment - We are experiencing the same issue. We have around 100 users and to add each one with different uppercase and lowercase permutations is not very elegant to manage authorization. Is this planned to fixed soon?
Harpreet Nain
added a comment - We are experiencing the same issue. We have around 100 users and to add each one with different uppercase and lowercase permutations is not very elegant to manage authorization. Is this planned to fixed soon? 
F M
added a comment - Problem still exists. Very annoying. 
David Grierson
added a comment - Why is Jenkins passing around usernames and not ultimately referencing some sort of internal numeric user ID?
This seems like a fundamental architectural issue.
David Grierson
added a comment - Why is Jenkins passing around usernames and not ultimately referencing some sort of internal numeric user ID?
This seems like a fundamental architectural issue. Any Fix is given for this issue ,we are also facing same issue due to Case Sensitive while trying to apply the Access for the jobs via Role Strategy or Matrix Based security.
Jenkins Version:1.596.2
jothibasu Kamaraj
added a comment - - edited Any Fix is given for this issue ,we are also facing same issue due to Case Sensitive while trying to apply the Access for the jobs via Role Strategy or Matrix Based security.
Jenkins Version:1.596.2 jothibasu k
added a comment - Guys any update on this issue... we facing this issue while trying to integrate with JIRA..Please check
jothibasu k
added a comment - Guys any update on this issue... we facing this issue while trying to integrate with JIRA..Please check 
System Administrator
added a comment - I have this issue too. I find that the user needs to log in to Jenkins with the same case as the user I've created in the role manager. In other words, usernames are not case sensitive when they are passed to Active Directory for confirmation but they are case sensitive once they get back to Jenkins and it tries to use them to give you access. I've bodged it so far by creating lower case and Title Case versions of each user but I'd rather it just worked properly.
System Administrator
added a comment - I have this issue too. I find that the user needs to log in to Jenkins with the same case as the user I've created in the role manager. In other words, usernames are not case sensitive when they are passed to Active Directory for confirmation but they are case sensitive once they get back to Jenkins and it tries to use them to give you access. I've bodged it so far by creating lower case and Title Case versions of each user but I'd rather it just worked properly. Same Problem here. The Workaround at the moment: You can enter the user to Jenkins usermanagement with upper or lowercase or any combination of upper and lowercase and it will always be found in Active Directory.
They will ALWAYS be able to log in and they will always receive the rights given by their groups, but they do only receive individual rights if the name is entered exactly as set in Jenkins user Management.
So you can tell your users to always use the same combination of upper and lowercase to log in or you can give them rights only based in groups. (which may lead to the need to do administration in LDAP which may or may be not possible for the Jenkins administrators)
M Chon
added a comment - Switched to using LDAP a while back. (De-installed the Active Directory plugin).
Very happy with LDAP.
M Chon
added a comment - Switched to using LDAP a while back. (De-installed the Active Directory plugin).
Very happy with LDAP. We had the described ussues with the LDAP plugin, not with the Active Directory plugin - sorry for the confusion.
Jason Schoon
added a comment - What would it take to get this under investigation or implemented? This appears to have been an issue for nearly 4 years, and it impacts our organization everytime not just someone new is added, but anytime they forgot to login with the exactly correct case. Not because they get rejected, but because they get in but have the wrong rights. That's a bad combination.
Jason Schoon
added a comment - What would it take to get this under investigation or implemented? This appears to have been an issue for nearly 4 years, and it impacts our organization everytime not just someone new is added, but anytime they forgot to login with the exactly correct case. Not because they get rejected, but because they get in but have the wrong rights. That's a bad combination. jasonschoon Jenkins is an open-source project. If you need this feature, the best way to get progress on it is to propose a pull request to the plugin. Maybe fbelzunc has some plans regarding this change.
As of 1.26 I cannot reproduce this. Please report a stack trace.
(But toward 1.27, I made the change that once logged in the user name gets canonicalized)