Change use_lookup_dn_username default value to False

jupyterhub · Sep 23, 2024 · 508f870 · 508f870
1 parent 5ba6aa1
commit 508f870
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -293,9 +293,16 @@ If found, these will be available as `auth_state["user_attributes"]`.
 
 Only used with `lookup_dn=True`.
 
-If configured True (default value), the `lookup_dn_user_dn_attribute`
-value used to build the LDAP user's DN string is also used as the
-authenticated user's JuptyerHub username.
+If configured True, the `lookup_dn_user_dn_attribute` value used to
+build the LDAP user's DN string is also used as the authenticated user's
+JuptyerHub username.
+
+If this is configured True, its important to ensure that the values of
+`lookup_dn_user_dn_attribute` are unique even after the are normalized
+to be lowercase, otherwise two LDAP users could end up sharing the same
+JupyterHub username.
+
+With ldapauthenticator 2, the default value was changed to False.
 
 #### `LDAPAuthenticator.search_filter`
 

diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py
@@ -373,14 +373,21 @@ def _observe_escape_userdn(self, change):
     )
 
     use_lookup_dn_username = Bool(
-        True,
+        False,
         config=True,
         help="""
         Only used with `lookup_dn=True`.
 
-        If configured True (default value), the `lookup_dn_user_dn_attribute`
-        value used to build the LDAP user's DN string is also used as the
-        authenticated user's JuptyerHub username.
+        If configured True, the `lookup_dn_user_dn_attribute` value used to
+        build the LDAP user's DN string is also used as the authenticated user's
+        JuptyerHub username.
+
+        If this is configured True, its important to ensure that the values of
+        `lookup_dn_user_dn_attribute` are unique even after the are normalized
+        to be lowercase, otherwise two LDAP users could end up sharing the same
+        JupyterHub username.
+
+        With ldapauthenticator 2, the default value was changed to False.
         """,
     )
 

diff --git a/ldapauthenticator/tests/conftest.py b/ldapauthenticator/tests/conftest.py
@@ -15,7 +15,6 @@ def authenticator():
     authenticator.user_attribute = "uid"
     authenticator.lookup_dn_user_dn_attribute = "cn"
     authenticator.attributes = ["uid", "cn", "mail", "ou"]
-    authenticator.use_lookup_dn_username = False
 
     authenticator.allowed_groups = [
         "cn=admin_staff,ou=people,dc=planetexpress,dc=com",