[horde] Upgrade of Horde from V. 3 to V. 5 failed
Jan Schneider
jan at horde.org
Mon Mar 13 10:32:31 UTC 2017
Zitat von Me <nospam4me at excite.com>:
>> You are missing the point. This isn't something that we "decided".
>> It's a matter of the case sensitivity of the authentication backend
>> (this may be an IMAP server, an LDAP server, a sql server etc...). We
>> can't assume that any installation is going to want their usernames
>> always lowercased.
>
> Hi Mike,
> I understand that the login is dependent on IMAP, LDAP, etc. That is
> why in many cases it will allow: john or John to log in the same.
> The problem is how Horde treats that input.
> You said: "We can't assume that any installation is going to want
> their usernames always lowercased."
> If you assume if it is case sensitive or if you assume it is not
> case sensitive, ether way you are assuming.
But with the huge difference that assuming the one may pose a security
risk. If two user names are considered distinct accounts by the means
of the authentication backend, but we assign them both to the same
Horde account by lowercasing the user names, we created a serious
problem.
But we still listened to our users, see below.
> Why not eliminate the guessing game and ask a question during horde install?
> This is not something that just happened to me. If you google the
> error message: "rampage_users_user_name" you get 284 forum topics/
> posts with the same problem.
This has already been added to Horde 6. You no longer have to create a
hook, but can switch the lower-casing on and off in the configuration.
We even default to lowercasing, despite the theoretical security
issue, because we weighed off the two secenarios and how common those
are.
--
Jan Schneider
The Horde Project
https://www.horde.org/
More information about the horde
mailing list