Using E-mail for Sign In w/ LDAP Fallback Authentication

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
3/28/2012 10:41:52 AM
alkos333
Gravatar
Total Posts 156
View Posts

Using E-mail for Sign In w/ LDAP Fallback Authentication

What is the rationale for preventing e-mail from being used for login while LDAP fallback authentication is enabled?  

3/28/2012 11:07:48 AM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Using E-mail for Sign In w/ LDAP Fallback Authentication

LDAP authentication is done by user ID. LDAP fallback authentication first tries to authenticate against the internal database by user ID, then if that fails it uses the same credentials to attempt an LDAP authentication.

Jamie

3/28/2012 12:35:33 PM
alkos333
Gravatar
Total Posts 156
View Posts

Re: Using E-mail for Sign In w/ LDAP Fallback Authentication

Jamie,

We are a non-profit organization which raises money for NIU. Therefore, all of our employees' user ids are stored in university's Active Directory and they are perfectly comfortable with using their user IDs for the site since they've used them to log into their workstations for years now.

We are also working on a board section of the site specifically for ~35 board members most of whom aren't employed by the university and can't be added to Active Directory. For them, using e-mail would be far superior and in our case essential.

We do not want to fork mojoPortal and maintain our own authentication implementation, so I thought I'd make a proposal to you guys and see if you would be content with committing such changes upstream. I will of course work on changes locally and will provide them to you.
 
Instead of forcing all of our users to use either user ID or e-mail, we would like to introduce a mixed mode which would work like this:
 
In site settings, instead of just UserEmailForLogin checkbox which forces e-mails when checked and user IDs when unchecked, we would have a radio group like so:
  • Force user ID for login
  • Force e-mail for login
  • Allow either user ID or e-mail for login
  1. Under "Force user ID for login," only user IDs will be allowed as input and DBSiteUser.Login() will be used.
  2. Under "Force e-mail for login," only e-mails will be allowed as input and either DBSiteUser.LoginByEmail() can be used or a corresponding user ID from user profile can be retrieved and DBSiteUser.Login() can be called as if user provided it.
  3. Under "Allow either user ID or e-mail for login," either user ID or e-mail will be allowed as input.  Regular expression can determine which one was provided.  If it was an e-mail,  a corresponding user ID from user profile can be retrieved and DBSiteUser.Login() will be attempted first and SiteUser.LoginLDAP() second.

 

What are your thoughts on this?

3/28/2012 12:51:20 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Using E-mail for Sign In w/ LDAP Fallback Authentication

I think it will be problematic to make that change because it goes beyond validation for login, the authentication cookie is either based on the email or the userid (LoginName field) , it cvan't be an either or situation and that matters everywhere the user is looked up.

My suggestion would be to populate the LoginName field with the email address for your board members, then they can login using their email addresses.

Best,

Joe

3/29/2012 2:47:33 PM
alkos333
Gravatar
Total Posts 156
View Posts

Re: Using E-mail for Sign In w/ LDAP Fallback Authentication

Maybe I am misunderstanding something, but you aren't switching back and forth once you are logged in.  If it's an e-mail, you convert it to user ID first and THEN validate it.  I'm not seeing why this would be problematic for SetAuthCookie() ...

3/29/2012 3:23:21 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Using E-mail for Sign In w/ LDAP Fallback Authentication

Problem is we don't SetAuthCookie, that is done for us behind the scenes by the ASP.NET login control using whatever was passed in and validated by the membership provider. For LDAP that is going to be user id aka loginname.

I don't see why you can't just duplicate the email address in the LoginName field, seems like a good solution for this problem to me.

3/29/2012 8:46:17 PM
alkos333
Gravatar
Total Posts 156
View Posts

Re: Using E-mail for Sign In w/ LDAP Fallback Authentication

Because when you enter an e-mail address and hit "Update User," it actually replaces the '@' symbol with a dot and that's a deal breaker...

3/30/2012 7:32:03 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Using E-mail for Sign In w/ LDAP Fallback Authentication

when you enter an e-mail address and hit "Update User," it actually replaces the '@' symbol with a dot

That is an easy problem to fix, it is fixed now in the source code repository.

Hope that helps,

Joe

3/30/2012 10:04:16 AM
alkos333
Gravatar
Total Posts 156
View Posts

Re: Using E-mail for Sign In w/ LDAP Fallback Authentication

So what about the comments you have in the source?

// don't allow @ because in some configuration
// we allow login by either email or loginname
// we want login name to not look like an email address

 

3/30/2012 10:10:09 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Using E-mail for Sign In w/ LDAP Fallback Authentication

Those comments are from back in the .NET 1 days circa 2004 before use of the asp.net LoginControl and the existence of MembershipProvider.

3/30/2012 10:47:42 AM
alkos333
Gravatar
Total Posts 156
View Posts

Re: Using E-mail for Sign In w/ LDAP Fallback Authentication

Sure, but I don't think the purpose of replacement line has changed :).  Why did you want to make sure that user Id and e-mail address were different then, but not now?  I think that's because that's usually what you will want and in our case we would love to have a different user id as well if possible.

You must sign in to post in the forums. This thread is closed to new posts.