Merge pull request #280 from consideRatio/pr/use-lookup-dn-username-f…

…alse Change `use_lookup_dn_username` default value to False
jupyterhub · Sep 26, 2024 · a3c8b9d · a3c8b9d
2 parents 510b450 + b8c650c
commit a3c8b9d
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -293,9 +293,16 @@ If found, these will be available as `auth_state["user_attributes"]`.
 
 Only used with `lookup_dn=True`.
 
-If configured True (default value), the `lookup_dn_user_dn_attribute`
-value used to build the LDAP user's DN string is also used as the
-authenticated user's JuptyerHub username.
+If configured True, the `lookup_dn_user_dn_attribute` value used to
+build the LDAP user's DN string is also used as the authenticated user's
+JuptyerHub username.
+
+If this is configured True, its important to ensure that the values of
+`lookup_dn_user_dn_attribute` are unique even after the are normalized
+to be lowercase, otherwise two LDAP users could end up sharing the same
+JupyterHub username.
+
+With ldapauthenticator 2, the default value was changed to False.
 
 #### `LDAPAuthenticator.search_filter`
 

diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py
@@ -391,14 +391,21 @@ def _observe_escape_userdn(self, change):
     )
 
     use_lookup_dn_username = Bool(
-        True,
+        False,
         config=True,
         help="""
         Only used with `lookup_dn=True`.
 
-        If configured True (default value), the `lookup_dn_user_dn_attribute`
-        value used to build the LDAP user's DN string is also used as the
-        authenticated user's JuptyerHub username.
+        If configured True, the `lookup_dn_user_dn_attribute` value used to
+        build the LDAP user's DN string is also used as the authenticated user's
+        JuptyerHub username.
+
+        If this is configured True, its important to ensure that the values of
+        `lookup_dn_user_dn_attribute` are unique even after the are normalized
+        to be lowercase, otherwise two LDAP users could end up sharing the same
+        JupyterHub username.
+
+        With ldapauthenticator 2, the default value was changed to False.
         """,
     )
 

diff --git a/ldapauthenticator/tests/conftest.py b/ldapauthenticator/tests/conftest.py
@@ -19,7 +19,6 @@ def c():
     c.LDAPAuthenticator.user_attribute = "uid"
     c.LDAPAuthenticator.lookup_dn_user_dn_attribute = "cn"
     c.LDAPAuthenticator.attributes = ["uid", "cn", "mail", "ou"]
-    c.LDAPAuthenticator.use_lookup_dn_username = False
 
     c.LDAPAuthenticator.allowed_groups = [
         "cn=admin_staff,ou=people,dc=planetexpress,dc=com",