-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to use a different object or change the UPN for username #179
Comments
I think Entra ID requires the upn (user@domain) for authentication. I was considering mapping this to the cn though (so that you could leave off the |
That would work. I have also seen SAML registered apps allow for the UPN to be munged from the AAD side. |
This shouldn't be too difficult to add. It would get tricky FYI if you have multiple configured domains, because then we'd pick the first matching user. For example, if you have 2 domains |
Now that I think of it, that won't work for our use case. I need to be able to distinguish the AAD users from the local users and prevent username collisions. What would probably be useful is a parser where I could use the cn + another string like ABCtom for example. |
Himmelblau filters out local account names and ignores them. As long as the CNs don't collide with local account names, it would be fine. |
They will collide. A lot of our usernames are not very unique |
Are the users related? Can we map the local user to an Entra Id user? |
no, not at all. |
Hrm, maybe I could introduce a filter option, which matches ABCtom then translates it to [email protected], etc. |
that would definitely work for us :) |
I think I'm going to provide a script option, where you can provide a custom script that modifies the username as you wish. |
let me know if you need someone to test |
Ok, I'll probably have something for you to try today. |
Hrm, I forgot that this could effect the user cache. This may take me a bit to sort out. |
@tastle73 I've added the script mapping feature to this branch: https://github.com/himmelblau-idm/himmelblau/tree/stable-0.6.x_map_logon_name Would you try it out? I'll do some testing probably tomorrow. |
this is the build exit:
…----- On Oct 9, 2024, at 5:48 PM, David Mulder ***@***.***> wrote:
[ https://github.com/tastle73 | @tastle73 ] I've added the script mapping
feature to this branch: [
https://github.com/himmelblau-idm/himmelblau/tree/stable-0.6.x_map_logon_name |
https://github.com/himmelblau-idm/himmelblau/tree/stable-0.6.x_map_logon_name ]
Would you try it out? I'll do some testing probably tomorrow.
—
Reply to this email directly, [
#179 (comment)
| view it on GitHub ] , or [
https://github.com/notifications/unsubscribe-auth/AAR3FIIBWQQX4CIMNYA7BDTZ2WQBTAVCNFSM6AAAAABOJO3DNKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBTGQ4DSOJZHE
| unsubscribe ] .
You are receiving this because you were mentioned. Message ID:
***@***.***>
|
@tastle73 there is no build output in your message. Did you forget to attach it? |
I tried a screenshot and it was dropped. Here is the txt: Compiling compact_jwt v0.4.2 Caused by: |
It's because you didn't checkout the submodules. Run |
What is your target distribution? Perhaps I could generate a package for you? |
RHEL 8 and derivatives. |
Try setting using the new name mapping script option in the himmelblau.conf, and let me know if this works for you: # In some cases, mapping the UPN to the CN may be impractical. The following
# option executes the specifed filename (any executable), which MUST accept
# a single argument (the user provided login username). The executable MUST
# print a single response to stdout, which will be the UPN that the provided
# login username maps to.
name_mapping_script = Also set |
I am confused about how this will work. I thought the login one would enter is [email protected] and it would then be for example xxxfoo on the system they log into. I tried it the other way round and it didn't work either |
I thought you wanted to be able to enter xxxfoo, and for the script to transform this into [email protected]? The code is expecting to end up with the upn output from the script. |
I didn't explain my request very well. I am sorry. I was hoping we could use the UPN as the authenticator/username and then transform that into a non-email formatted user on the system. |
Oh, ok. I'll have to think about this some more. |
Any ideas? I think if you just reverse the code it would work. |
I suppose I could just change the nss output to map the username for that script. I'd need to match the same via input though, since services may send requests using that nss name. |
So the name mapping script is going to need to handle mapping both ways: Otherwise this won't work. |
Actually, maybe what it needs to do is this: |
FYI, the way I have to implement this, you'll actually be able to login using the mapped name if you choose (or the full UPN). |
Ok, going back to what I said before. I need the script to map both directions: So your script should detect if the input is a UPN. If so, map it to the mapped name. If it detects a mapped name, it should convert it back to a UPN. |
This is probably an ER.
I would like to be able to use something other than the user@domain for the username. Is this possible?
The text was updated successfully, but these errors were encountered: