LDAP authentication with userPrincipalName fill with email address

george1421

@Tom-Elliott said in LDAP authentication with userPrincipalName fill with email address:

I’m more inclined to think there’s an issue before this point (at which logging likely isn’t tracking).

I agree if you don’t know what you are looking for you will never find it.

fritoss007

I might have spotted someting in the string I’m using…this is our fqdn : csdufer.qc.ca and I’m using this string :

‘/(?=^.{3,40}$)^[\w][\w0-9][._-]?[\w0-9][.-]?[\w0-9]*[.-]?[\w0-9][@]?[\w0-9][.]?[\w0-9]+$/i’,

should I use this instead ?

‘/(?=^.{3,40}$)^[\w][\w0-9][._-]?[\w0-9][.-]?[\w0-9]*[.-]?[\w0-9][@]?[\w0-9][.]?[\w0-9]*[.]?[\w0-9]+$/i’,

george1421

@fritoss007 I’ve looked into the database bits too and the uName field is 40 characters log (that would store the upn name). So it should be large enough to hold most UPN names.

Tom Elliott

@george1421 @fritoss007

I think this regex would work best:

(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[@]?[\w0-9]*([.]?[\w0-9])+$

This isn’t perfect, but should be closer to what’s needed.

Essentially, it’s looking at the final [.]?[\w0-9] and grouping it allowing us to add as many as wanted.

Here’s a slightly better version, I think, as it will allow normal usernames or email addresses:

^(?:[\w\d][\w\d _\-]{3,40}|[\w\d.%+\-]+@[\w\d.\-]+\.[\w]{2,4})$

In the above, it will only limit 3-40 characters without email. With email, the sky’s the limit. However, as @george1421 stated, the user field is only 40 characters so it would fail if you had anything larger than the field could accept.

Tom Elliott

One last bit, to make it a tiny bit more accurate, and compicated

^(?:[a-zA-Z0-9][\w\d \.\-]{3,40}|[a-zA-Z0-9\.%+\-]+@[a-zA-Z0-9\.\-]+\.[a-zA-Z]{2,4})$

This will make sure the first character is either letter or number (no underscore)

george1421

@fritoss007 Since the developers haven’t really looked into use email address or upn names for LDAP authentication can you do some research for them. If you could export you AD into something like excel and then create a quick formula to get the length of the upn name (could do with powershell too) and then post what is the longest UPN name (email) address you have in your AD. This would give the developers an idea if 40 characters is good enough or something else is needed.

fritoss007

@george1421 Thanks I would think the lenght of 40 is plenty as only tech will use this interface with their very special “admin” accounts.

@Tom-Elliott Thanks as your last string works like a charm!

So I’ve created 2 LDAP connections, one with userPrincipalName and the other with sAMAccountName so if users use any of them it will work !

Now…what about the PXE menu ? I guess it’s a different story ?

george1421

@fritoss007 said in LDAP authentication with userPrincipalName fill with email address:

Now…what about the PXE menu ? I guess it’s a different story ?

Different story == Different thread.

FWIW the developers are thinking about making this a feature (allowing login via UPN/email address) in 1.6.x versions of FOG. So reporting back that its working is a pretty good way to make it happen.

fritoss007

@george1421 so funny I knew it :)…I’m just wondering if it worth opening a new thread! I feel like it’s going to be much harder than the web interface!

But yes it’s working great for the GUI. Should I repport it somewhere else ?

george1421

@fritoss007 said in LDAP authentication with userPrincipalName fill with email address:

Should I report it somewhere else

In this tread is good enough. Both Tom and Sebastian are in this thread so its the right place at the right time.