From 42e64440a8b6ddd1771dd099c2e145fa3d23a861 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 23 Sep 2024 10:35:52 +0200 Subject: [PATCH] Change `use_lookup_dn_username` default value to False --- README.md | 13 ++++++++++--- ldapauthenticator/ldapauthenticator.py | 15 +++++++++++---- ldapauthenticator/tests/conftest.py | 1 - 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index b3e9762..76aaba1 100644 --- a/README.md +++ b/README.md @@ -293,9 +293,16 @@ If found, these will be available as `auth_state["user_attributes"]`. Only used with `lookup_dn=True`. -If configured True (default value), the `lookup_dn_user_dn_attribute` -value used to build the LDAP user's DN string is also used as the -authenticated user's JuptyerHub username. +If configured True, the `lookup_dn_user_dn_attribute` value used to +build the LDAP user's DN string is also used as the authenticated user's +JuptyerHub username. + +If this is configured True, its important to ensure that the values of +`lookup_dn_user_dn_attribute` are unique even after the are normalized +to be lowercase, otherwise two LDAP users could end up sharing the same +JupyterHub username. + +With ldapauthenticator 2, the default value was changed to False. #### `LDAPAuthenticator.search_filter` diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py index 0b6065f..d0a0a4e 100644 --- a/ldapauthenticator/ldapauthenticator.py +++ b/ldapauthenticator/ldapauthenticator.py @@ -391,14 +391,21 @@ def _observe_escape_userdn(self, change): ) use_lookup_dn_username = Bool( - True, + False, config=True, help=""" Only used with `lookup_dn=True`. - If configured True (default value), the `lookup_dn_user_dn_attribute` - value used to build the LDAP user's DN string is also used as the - authenticated user's JuptyerHub username. + If configured True, the `lookup_dn_user_dn_attribute` value used to + build the LDAP user's DN string is also used as the authenticated user's + JuptyerHub username. + + If this is configured True, its important to ensure that the values of + `lookup_dn_user_dn_attribute` are unique even after the are normalized + to be lowercase, otherwise two LDAP users could end up sharing the same + JupyterHub username. + + With ldapauthenticator 2, the default value was changed to False. """, ) diff --git a/ldapauthenticator/tests/conftest.py b/ldapauthenticator/tests/conftest.py index 55f5e47..75077cf 100644 --- a/ldapauthenticator/tests/conftest.py +++ b/ldapauthenticator/tests/conftest.py @@ -19,7 +19,6 @@ def c(): c.LDAPAuthenticator.user_attribute = "uid" c.LDAPAuthenticator.lookup_dn_user_dn_attribute = "cn" c.LDAPAuthenticator.attributes = ["uid", "cn", "mail", "ou"] - c.LDAPAuthenticator.use_lookup_dn_username = False c.LDAPAuthenticator.allowed_groups = [ "cn=admin_staff,ou=people,dc=planetexpress,dc=com",