[GH-ISSUE #728] [BUG] lldap website auth's username is case sensitive, while password reset is not #264

New issue

Closed

opened 2026-02-27 08:16:13 +03:00 by kerem · 2 comments

kerem commented

2026-02-27 08:16:13 +03:00

Owner

Originally created by @evrardjp on GitHub (Nov 1, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/728

Describe the bug
When logging in, I need to provide a username in a case sensitive manner (makes sense to me).
Yet, if I go to password reset page, I add a capital letter for the login to recover, and it will work.

If this is intentional, it can definitely confuse people "Why does the password reset work, but auth does not?"

To Reproduce
Steps to reproduce the behavior:

Create user in the web interface in lowercase letters
Go for self-service password reset page and enter the same username with an uppercase letter.
Receive password reset email
(Optional) try authenticate with uppercase user.

Expected behavior
Step 3 should not have worked without the correct case.

Logs
If you want logs I can provide some.

Additional context
Is that expected?

Originally created by @evrardjp on GitHub (Nov 1, 2023). Original GitHub issue: https://github.com/lldap/lldap/issues/728 **Describe the bug** When logging in, I need to provide a username in a case sensitive manner (makes sense to me). Yet, if I go to password reset page, I add a capital letter for the login to recover, and it will work. If this is intentional, it can definitely confuse people "Why does the password reset work, but auth does not?" **To Reproduce** Steps to reproduce the behavior: 1. Create user in the web interface in lowercase letters 2. Go for self-service password reset page and enter the same username with an uppercase letter. 3. Receive password reset email 4. (Optional) try authenticate with uppercase user. **Expected behavior** Step 3 should not have worked without the correct case. **Logs** If you want logs I can provide some. **Additional context** Is that expected?

kerem

2026-02-27 08:16:13 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-27 08:16:14 +03:00

Author

Owner

@lordratner commented on GitHub (Dec 25, 2023):

When you create a user, it is not case sensitive. If you already have user "johndoe" you will not be able to create "JohnDoe"

I think everything should be case-insensitive (for usernames obviously) and force it to lowercase in the webui. Easier that way.

@lordratner commented on GitHub (Dec 25, 2023): When you create a user, it is not case sensitive. If you already have user "johndoe" you will not be able to create "JohnDoe" I think everything should be case-insensitive (for usernames obviously) and force it to lowercase in the webui. Easier that way.

kerem commented

2026-02-27 08:16:14 +03:00

Author

Owner

@nitnelave commented on GitHub (Aug 19, 2024):

I'm not sure whether that was actually the case when the issue was opened, but it doesn't seem to be the case anymore. I've been pretty careful to use some type-level guarantees to ensure case insensitivity.

@nitnelave commented on GitHub (Aug 19, 2024): I'm not sure whether that was actually the case when the issue was opened, but it doesn't seem to be the case anymore. I've been pretty careful to use some type-level guarantees to ensure case insensitivity.

kerem referenced this issue

2026-02-27 08:18:20 +03:00

[PR #279] [MERGED] server: Add a log message when search is restricted #655