Opened 14 years ago
Closed 8 years ago
#8691 closed defect (wontfix)
Subscriber Classes: Allow for Active Directory / Kerberos usernames
Reported by: | Rich | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | AnnouncerPlugin |
Severity: | critical | Keywords: | user resolver Kerberos ActiveDirectory LDAP |
Cc: | Ryan J Ollos, Robert Corsaro | Trac Release: | 0.12 |
Description
At present there's a simple test against the sid of the user, for example:
if re.match(r'^[^@]+@.+', ticket['reporter']): sid, auth, addr = None, 0, ticket['reporter'] else: sid, auth, addr = ticket['reporter'], 1, None
This means that any users with a sid like user@… get treated from this point forwards as unauthenticated.
This has disastrous consequences e.g. their email address (in session_attribute) can never be retrieved as the where clause contains 'authenticated = 0'!
Attachments (0)
Change History (5)
comment:1 Changed 14 years ago by
comment:2 Changed 14 years ago by
Thinking about it, why are the subscriber classes making this decision? They should just encapsulate the functionality required to provide a list of interested parties and leave finding our 'where' the users are to the resolver classes.
Surely, for example, the SessionEmailResolver should be querying the DB with the username (reporter/owner etc.) to find out whether or not there's a matching sid and how to contact them, assuming the username *is* their mail address is a task for the SpecifiedEmailResolver?
comment:3 Changed 12 years ago by
Cc: | Ryan J Ollos Robert Corsaro added; anonymous removed |
---|---|
Keywords: | user resolver Kerberos ActiveDirectory LDAP added |
Owner: | changed from Robert Corsaro to Steffen Hoffmann |
Priority: | high → normal |
Summary: | Subscriber Classes : Allow for Active Directory / Kerberos usernames → Subscriber Classes: Allow for Active Directory / Kerberos usernames |
Notice the possible shortcomings of the reported regular expression as well.
And I'm glad, that this is already documented here. +1 for fixing this in the resolver domain, but I'll have to do much more code reading, before I'll attempt to fix this issue. Please be patient and bear with me, or better: Provide some patches for review ("code rules"). This should speed-up a working solution once I've cleared some database issues, that are top-rated for now.
comment:4 Changed 8 years ago by
Owner: | Steffen Hoffmann deleted |
---|
comment:5 Changed 8 years ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Please upgrade to Trac 1.2, which has integrated the core of AnnouncerPlugin. Please raise the issue on the trac:MailingList if you encounter the issue with Trac 1.2.
For info, TracNotification got around it like this:
"When using apache and mod_kerb for authentication against Kerberos / Active Directory, usernames take the form (username@…). To avoid this being interpreted as an email address, add the Kerberos domain to (ignore_domains)."