Weave usernames and case-sensitivity

Anant Narayanan

6

We’ve noticed that a majority of users who complain about not being able to change their password or even login are unable to do so because Weave treats usernames in a case-sensitive manner. If you don’t happen to remember the exact capitilization of your username at the time of registration, there is very little you can do short of creating a new account. We recognize that this is an important issue and are looking to address it. Case-insensitive usernames should result in fewer confused users and an all-round better experience for anyone dealing with Weave accounts.

As Weave is continously growing, doing this is no longer a trivial task. We service thousands of users everyday, so our main goals for making the switch are to minimize distruptions, not cause any data loss and have the change be completely transparent to end-users.

Let’s take a look at what needs to happen to implement this — this also presents an opportunity for us to talk about how Mozilla’s servers are architected to provide services.mozilla.com. Currently, we have one “cluster” of servers servicing around 28,000 users. Each “cluster” consists of an OpenLDAP instance – a replica of our master LDAP server which stores user information, and a set of database servers running MySQL that store user data. The frontend to each cluster runs the weaveserver code, while authentication against LDAP is managed by internal scripts. We’re going to merge these two into the weaveserver codebase for 0.5, but until then, we’re managing authentication (including account creation) and storage seperately.

Architecture of the Weave Servers

This cluster approach allows us to scale — users are assigned clusters based on a hash of their usernames. Though we’re running just a single cluster now, we’re going to be adding more as we push towards a 1.0 release for Weave, and as the number of users grow.

In order to migrate all of our users to case-insensitive usernames, we need to:

  • Update the registration script to generate correct LDAP entries upon account creation.
  • Update existing LDAP entries by lowercasing usernames.
  • Update existing MySQL entries by lowercasing usernames.
  • Update the authentication and weaveserver code so that it lowercases all usernames in incoming requests.

We chose this strategy because it means we can make usernames case-insensitive without changing any client-side code — no updated versions of the Weave Sync extension are needed and the server-side changes will be transparent to our users. We do need to take the service down for a couple of hours while we perform changes on the database(s). Based on activity logs we’ve determined that the service is least active on weekends and thus, we are going to perform the switch this Sunday, 7/19 from 10:00A.M. PDT.

We’re tracking the process in this bug. Feel free to chip in with comments here or on the bug, we’d love to hear what you think!

UPDATE: The migration process is now complete. If you run into any issues, please do let us know :)

– Anant Narayanan, on behalf of the Weave development team

6 responses

  1. Thales wrote on ::

    Went through setup up to “enter words from picture below”…
    no picture, reload not working..

    Canceled & started over, now dozens of tries to confirm username = dozens of server timeouts

  2. Don wrote on :

    I tried to set up the weave account 4 times and it said invalid username and or password each time trying to log in. This was after the successful completion of the weave account. Each time it said the username I had already selected was still available.

  3. MMcCubbing wrote on :

    I believe that the improvements in usability will far outweigh the minimal dip in security, as I am sure the dev team considered.

  4. Christoph wrote on ::

    I don’t endorse the change of case-sensitive usernames to case-insensitive ones. It’s a matter of security.

  5. g wrote on ::

    so it sounds like the weave “train” will only have to come to a complete stop at 10AM and then start back up again… versus having to be taken off the tracks and worked on. love infrastructure posts ;)

  6. skfd wrote on :

    Case insensitivity is way overrated.