Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to use a different object or change the UPN for username #179

Open
tastle73 opened this issue Sep 16, 2024 · 33 comments · May be fixed by #289
Open

Ability to use a different object or change the UPN for username #179

tastle73 opened this issue Sep 16, 2024 · 33 comments · May be fixed by #289
Labels
enhancement New feature or request
Milestone

Comments

@tastle73
Copy link

This is probably an ER.

I would like to be able to use something other than the user@domain for the username. Is this possible?

@dmulder
Copy link
Collaborator

dmulder commented Sep 16, 2024

I think Entra ID requires the upn (user@domain) for authentication. I was considering mapping this to the cn though (so that you could leave off the @domain part). Is this what you're interested in?

@tastle73
Copy link
Author

That would work. I have also seen SAML registered apps allow for the UPN to be munged from the AAD side.

@dmulder dmulder added the enhancement New feature or request label Sep 16, 2024
@dmulder
Copy link
Collaborator

dmulder commented Sep 16, 2024

This shouldn't be too difficult to add. It would get tricky FYI if you have multiple configured domains, because then we'd pick the first matching user. For example, if you have 2 domains example.com and test.com configured, then a user with the UPN tux in each domain ([email protected] and [email protected]), then we'd have to just pick the first user in the domain list.

@tastle73
Copy link
Author

Now that I think of it, that won't work for our use case. I need to be able to distinguish the AAD users from the local users and prevent username collisions. What would probably be useful is a parser where I could use the cn + another string like ABCtom for example.

@dmulder
Copy link
Collaborator

dmulder commented Sep 16, 2024

Himmelblau filters out local account names and ignores them. As long as the CNs don't collide with local account names, it would be fine.

@tastle73
Copy link
Author

They will collide. A lot of our usernames are not very unique

@dmulder
Copy link
Collaborator

dmulder commented Sep 16, 2024

Are the users related? Can we map the local user to an Entra Id user?

@tastle73
Copy link
Author

no, not at all.

@dmulder
Copy link
Collaborator

dmulder commented Sep 16, 2024

Hrm, maybe I could introduce a filter option, which matches ABCtom then translates it to [email protected], etc.

@tastle73
Copy link
Author

that would definitely work for us :)

@dmulder
Copy link
Collaborator

dmulder commented Sep 17, 2024

I think I'm going to provide a script option, where you can provide a custom script that modifies the username as you wish.

@tastle73
Copy link
Author

let me know if you need someone to test

@dmulder
Copy link
Collaborator

dmulder commented Sep 17, 2024

Ok, I'll probably have something for you to try today.

@dmulder
Copy link
Collaborator

dmulder commented Sep 17, 2024

Hrm, I forgot that this could effect the user cache. This may take me a bit to sort out.

@dmulder dmulder added this to the 0.7.x milestone Sep 27, 2024
@dmulder
Copy link
Collaborator

dmulder commented Oct 9, 2024

This is now partially implemented in #230 and #231. You now only need enter the CN name (the front part of the full UPN) to login.

@dmulder
Copy link
Collaborator

dmulder commented Oct 9, 2024

@tastle73 I've added the script mapping feature to this branch: https://github.com/himmelblau-idm/himmelblau/tree/stable-0.6.x_map_logon_name

Would you try it out? I'll do some testing probably tomorrow.

@tastle73
Copy link
Author

tastle73 commented Oct 10, 2024 via email

@dmulder
Copy link
Collaborator

dmulder commented Oct 10, 2024

@tastle73 there is no build output in your message. Did you forget to attach it?

@tastle73
Copy link
Author

I tried a screenshot and it was dropped. Here is the txt:

Compiling compact_jwt v0.4.2
error: failed to run custom build command for idmap v0.6.5 (/root/himmelblau/himmelblau-0.6.5/src/idmap)

Caused by:
process didn't exit successfully: /root/himmelblau/himmelblau-0.6.5/target/release/build/idmap-e1e88fe48764074e/build-script-build (exit status: 101)
--- stderr
aclocal: error: configure.ac:3: file 'sssd/version.m4' does not exist
autoreconf: aclocal failed with exit status: 1
thread 'main' panicked at src/idmap/build.rs:14:9:
Failed to configure sss_idmap
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
make: *** [Makefile:3: all] Error 101

@dmulder
Copy link
Collaborator

dmulder commented Oct 10, 2024

It's because you didn't checkout the submodules. Run make, instead of cargo build. The make command will check out the submodules for you.
This requirement will be removed in 0.7.x.

@dmulder
Copy link
Collaborator

dmulder commented Oct 10, 2024

What is your target distribution? Perhaps I could generate a package for you?

@tastle73
Copy link
Author

RHEL 8 and derivatives.
I git cloned the branch and that worked

@dmulder
Copy link
Collaborator

dmulder commented Oct 11, 2024

Try setting using the new name mapping script option in the himmelblau.conf, and let me know if this works for you:

# In some cases, mapping the UPN to the CN may be impractical. The following
# option executes the specifed filename (any executable), which MUST accept
# a single argument (the user provided login username). The executable MUST
# print a single response to stdout, which will be the UPN that the provided
# login username maps to.
name_mapping_script =

Also set cn_name_mapping = false when you use name_mapping_script.

@tastle73
Copy link
Author

I am confused about how this will work. I thought the login one would enter is [email protected] and it would then be for example xxxfoo on the system they log into. I tried it the other way round and it didn't work either

@dmulder
Copy link
Collaborator

dmulder commented Oct 15, 2024

I thought you wanted to be able to enter xxxfoo, and for the script to transform this into [email protected]? The code is expecting to end up with the upn output from the script.
I guess I don't understand what the purpose would be the other way around? I thought the purpose was to be able to enter a short username, which is transformed into the full upn?

@tastle73
Copy link
Author

I didn't explain my request very well. I am sorry.

I was hoping we could use the UPN as the authenticator/username and then transform that into a non-email formatted user on the system.

@dmulder
Copy link
Collaborator

dmulder commented Oct 15, 2024

Oh, ok. I'll have to think about this some more.

@tastle73
Copy link
Author

Any ideas? I think if you just reverse the code it would work.

@dmulder
Copy link
Collaborator

dmulder commented Nov 12, 2024

I suppose I could just change the nss output to map the username for that script. I'd need to match the same via input though, since services may send requests using that nss name.
Sorry, I haven't given this the attention it deserves. I'll take a look at it soon.

@dmulder
Copy link
Collaborator

dmulder commented Nov 12, 2024

So the name mapping script is going to need to handle mapping both ways:
upn -> mapped name
mapped name -> upn

Otherwise this won't work.

@dmulder
Copy link
Collaborator

dmulder commented Nov 12, 2024

Actually, maybe what it needs to do is this:
upn -> upn
mapped name -> upn
That way we consistently use the upn behind the scenes, but can receive the mapped name, and transcribe it.
Maybe I could just ignore the name mapping if I see a UPN, actually.

@dmulder
Copy link
Collaborator

dmulder commented Nov 12, 2024

FYI, the way I have to implement this, you'll actually be able to login using the mapped name if you choose (or the full UPN).

@dmulder
Copy link
Collaborator

dmulder commented Nov 12, 2024

Ok, going back to what I said before. I need the script to map both directions:
upn -> mapped name
mapped name -> upn

So your script should detect if the input is a UPN. If so, map it to the mapped name. If it detects a mapped name, it should convert it back to a UPN.

@dmulder dmulder linked a pull request Nov 12, 2024 that will close this issue
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants