Opened 8 years ago

# Pluging won't work for users belonging to LDAP upper cased groups

Reported by: Owned by: jmeile@… Emmanuel Blot normal LdapPlugin normal jmeile@…, tim.gouma@… 0.11

### Description

On the LDAP setup I'm using, there are some upper cased groups. I can't change them since I'm not the administrator of that server and the tool I use to add those groups to the LDAP server, uses an upper cased prefix, ie: MY_DEPARTMENT-, then I can define whatever comes afterwards, so, MY_DEPARTMENT-ADMINS. So, as you see, I cant' do anything here :-(

Anyway, when I give @MY_DEPARTMENT-ADMINS into the trac Admins interface, it just complains and says: "All upper-cased tokens are reserved for permission names"

If I give @my_department-admins into the Admin interface, then the group comparison into your plugging will fail since it compares this lowered string with the original name of the LDAP group.

Well, this seems to be a trac problem since it has reserved uppercased names for permissions :-(

Anyway, it would be nice if you add some kind of option that lowercases the groups to which a user belongs to, ie: ignore_group_case. There is a trac setting: ignore_auth_case, but it only seems to lowercase the username. It won't work with the groups.

For the moment, I'm always lowercasing each group into the _get_user_groups method of the LdapPermissionGroupProvider class; however, I thing a trac.ini variable would be much more elegant.

Best regards Josef

### comment:1 follow-ups:  2  3 Changed 8 years ago by anonymous

This is only a workaround, but the trac-admin script does not suffer that limitation. You can add the group with

trac-admin /path/to/trac-env permission add @MY_DEPARTMENT-ADMINS SOME_ACTION


I don't know of a way to do this using the web interface.

### comment:2 in reply to:  1 Changed 8 years ago by Emmanuel Blot

This is only a workaround, but the trac-admin script does not suffer that limitation. You can add the group with

I would not:
There are reasons why Trac web interface rejects uppercase names: there are reserved for permissions. Do not mess up with Trac, or bear with the consequences: you may introduce subtle bugs.

trac-admin should not accept uppercased groups.

On the other side, LDAP is usually case insensitive for group matching.

### comment:3 in reply to:  1 Changed 8 years ago by anonymous

This is only a workaround, but the trac-admin script does not suffer that limitation. You can add the group with

trac-admin /path/to/trac-env permission add @MY_DEPARTMENT-ADMINS SOME_ACTION


I don't know of a way to do this using the web interface.

MMM, thanks for your reply. I think I'm going to follow the suggestion from eblot and not using this workarround.

Anyway, I just figured out that the only part I can't change in my groups is MY_DEPARTMENT, so, I just added a group like this: MY_DEPARTMENT-admins and now if I just refer to @MY_DEPARTMENT-admins it works.

Anyway, reserving upper cased names for trac permissions isn't a very nice thing, but I can leave with that.

Thanks to ebot as well for pointing the problems you can arise if you use upper case groups with the trac-admin.