<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 26, 2013 at 4:44 AM, Ralf Haferkamp <span dir="ltr"><<a href="mailto:rhafer@suse.de" target="_blank">rhafer@suse.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
As Dolph already suggested we should not allow usernames that just differ in<br>
capitalization ("JDoe" vs. "jdoe") to co-exist. (Which could be an argument<br>
for handling users case-insensitive in general)<br>
<span class="HOEnZb"></span></blockquote><div><br></div><div>This enforcement should be handled by the LDAP server if the organization thinks it's important to have users with names unique without respect for capitalization. LDAP servers can also enforce normal security enhancers like password strength, expiration, and locking out users after invalid logins that the SQL backend doesn't support. <br>
<br>My recommendation is that Keystone should get away from dealing with creating/updating users to avoid reinventing the wheel (and making a wheel that's missing bells and whistles). If comparing user names is a problem, let's limit it to our custom SQL backend and not let it spread to other more featureful backends.<br>
<br></div><div>- Brant<br><br></div></div></div></div>