You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2009-08-19 13:53:08

linvinus
Member
Registered: 2009-07-16
Posts: 29

glpi 0.72 architecture problem with entities

User login should not be unique in sql user table.
Because same login could be in multiply entities .

for example:
admin@parent.domain
and admin@child.parent.domain

Glpi should identify user by login and entity, or by email.

Also when importing users from ldap, should be option in to which entity import.

When importing computers from OCS
glpi could compare  ocs.machine.domain_name  with entity, through special rule, then search osc.login + entity in glpi_users table.

Last edited by linvinus (2009-08-19 13:56:23)


glpi 0.83.2, ocs 2.0.2-2, Ubuntu 8.04.4 LTS

Offline

#2 2009-08-19 14:16:02

remi
GLPI-DEV
From: Champagne
Registered: 2007-04-28
Posts: 7,127
Website

Re: glpi 0.72 architecture problem with entities

> User login should not be unique in sql user table.
Login must be unique by design.

There is a ticket (somewhere in the roadmap) to store domain with username.

> Also when importing users from ldap, should be option in to which entity import.
No. User are not imported in 1 entity.
Entity are defined in the right of the user (user/profil relation)


+


Dév. Fedora 29 - PHP 5.6/7.0/7.1/7.2/7.3/7.4 - MariaDB 10.3 - GLPI master
Certifié ITILv3 - RPM pour Fedora, RHEL et CentOS sur https://blog.remirepo.net/

Offline

#3 2009-08-19 14:39:22

linvinus
Member
Registered: 2009-07-16
Posts: 29

Re: glpi 0.72 architecture problem with entities

remi,
>There is a ticket (somewhere in the roadmap) to store domain with username.
then,probably,  better use unique email instead login. Because it is login+domain and also unique criteria in help-desk.

Last edited by linvinus (2009-08-19 14:41:08)


glpi 0.83.2, ocs 2.0.2-2, Ubuntu 8.04.4 LTS

Offline

#4 2009-08-19 14:41:27

wawa
GLPI-DEV
From: Montpellier / France
Registered: 2006-07-03
Posts: 6,019
Website

Re: glpi 0.72 architecture problem with entities

linvinus wrote:

then,probably,  better use email . Because it is login+domain and also unique criteria in help-desk.

and what if I don't use helpdesk and I don't have email in my ldap directory ?

everybody can choose the login he wants, and for now login must be unique.

Offline

#5 2009-08-19 15:26:03

linvinus
Member
Registered: 2009-07-16
Posts: 29

Re: glpi 0.72 architecture problem with entities

wawa wrote:
linvinus wrote:

then,probably,  better use email . Because it is login+domain and also unique criteria in help-desk.

and what if I don't use helpdesk and I don't have email in my ldap directory ?

everybody can choose the login he wants, and for now login must be unique.

ok, email as id looks not so good. (even glpi will generate unique email if user don't have email in ldap)

But what we will do when will track ticket by email, if we will use domain+login as unique user id.
In this situation we also will have variant when different users can have same email.

My problem is that i have one physical entity but with two email-domains.
For now i can't automatically track tickets from both domains. Because i can't create another user with same login, or add another email for same user.

Also this  problem can appear when user send email from public email server (for example gmail.com)


glpi 0.83.2, ocs 2.0.2-2, Ubuntu 8.04.4 LTS

Offline

#6 2009-10-01 14:39:10

gaio
Member
From: Pordenone, Italy
Registered: 2006-09-20
Posts: 37

Re: glpi 0.72 architecture problem with entities

remi wrote:

Login must be unique by design.

You just have the account/user ID as unique filed, why not simply use it? Why use the login? Seems to me 'broken by design'...

remi wrote:

There is a ticket (somewhere in the roadmap) to store domain with username.

Some idea when this will be implemented?


Apart of the 'new feature' part, in this subject there's also a terrible BUG 'embedded': if i use more than one auth provider (for me, 3 LDAP servers) and in the providers different users with the same login exist, one user can impersonate another one, because GLPI query the auth provider in turn, and assign credential to the first that authenticate correctly.

This is indeed a SECURITY BUG, and have at least to be mitigated (eg: query the auth provider in turn and if user exist and login fail, stop query and return error).

Offline

#7 2009-10-01 14:46:08

wawa
GLPI-DEV
From: Montpellier / France
Registered: 2006-07-03
Posts: 6,019
Website

Re: glpi 0.72 architecture problem with entities

gaio wrote:
remi wrote:

Login must be unique by design.

You just have the account/user ID as unique filed, why not simply use it? Why use the login? Seems to me 'broken by design'...

I don't understand whatdo  you propose ?

gaio wrote:

Apart of the 'new feature' part, in this subject there's also a terrible BUG 'embedded': if i use more than one auth provider (for me, 3 LDAP servers) and in the providers different users with the same login exist, one user can impersonate another one, because GLPI query the auth provider in turn, and assign credential to the first that authenticate correctly.

This is indeed a SECURITY BUG, and have at least to be mitigated (eg: query the auth provider in turn and if user exist and login fail, stop query and return error).

no it's not a security bug, it's the way it has been implemented and the way we've designed it
once again, for now : the login field must be unique

Offline

#8 2009-10-01 15:16:08

gaio
Member
From: Pordenone, Italy
Registered: 2006-09-20
Posts: 37

Re: glpi 0.72 architecture problem with entities

wawa wrote:

I don't understand whatdo  you propose ?

in glpi_users there's the 'name' field (login) but also an 'ID' field: i understand that 'ID' field have to be unique, but really i don't understand because the 'name' field have too...


wawa wrote:

no it's not a security bug, it's the way it has been implemented and the way we've designed it

Ok, i've understood that is designed in this way, but this is really na security bug; mind only if in one auth provider there's an user 'john' with administrative rights granted, and in another auth provoder a different 'john' user that have not: even the second unprivileged user if login, got administrative rights!

This IS a security bug...

Offline

Board footer

Powered by FluxBB