I want us to do a quick patch fix for part of https://github.com/treeverse/lakeFS/issues/2773 tomorrow (we have 2 users stuck on this). The quick fix is to remove username format validation entirely or almost entirely. I believe our code is robust against injection attacks; we can and will verify that usernames are never involved in constructing sql queries, but only ever passed as parameters. Does anyone know of a good reason to validate username formats on usage? (We might validate a format during internal user registration, but that would be for business reasons...) Thanks!

+1 for removing it from LDAP synced users and releasing tomorrow

I think there is a different between username and display name. Usually the display name will go without any special validation, maybe just max length. But username will be a different story.