LDAP authentication with userPrincipalName fill with email address
-
how can I make LDAP authentication working with userPrincipalName fill with email address ? I guess there must be some patern check in php that prevent the use of @ ?
thanks for your help !
-
@fritoss007 said in LDAP authentication with userPrincipalName fill with email address:
Should I report it somewhere else
In this tread is good enough. Both Tom and Sebastian are in this thread so its the right place at the right time.
-
@george1421 so funny I knew it
:)ā¦Iām just wondering if it worth opening a new thread! I feel like itās going to be much harder than the web interface!
But yes itās working great for the GUI. Should I repport it somewhere else ?
-
@fritoss007 said in LDAP authentication with userPrincipalName fill with email address:
Nowā¦what about the PXE menu ? I guess itās a different story ?
Different story == Different thread.
FWIW the developers are thinking about making this a feature (allowing login via UPN/email address) in 1.6.x versions of FOG. So reporting back that its working is a pretty good way to make it happen.
-
@george1421 Thanks I would think the lenght of 40 is plenty as only tech will use this interface with their very special āadminā accounts.
@Tom-Elliott Thanks as your last string works like a charm!
So Iāve created 2 LDAP connections, one with userPrincipalName and the other with sAMAccountName so if users use any of them it will work !
Nowā¦what about the PXE menu ? I guess itās a different story ?
-
@fritoss007 Since the developers havenāt really looked into use email address or upn names for LDAP authentication can you do some research for them. If you could export you AD into something like excel and then create a quick formula to get the length of the upn name (could do with powershell too) and then post what is the longest UPN name (email) address you have in your AD. This would give the developers an idea if 40 characters is good enough or something else is needed.
-
One last bit, to make it a tiny bit more accurate, and compicated
^(?:[a-zA-Z0-9][\w\d \.\-]{3,40}|[a-zA-Z0-9\.%+\-]+@[a-zA-Z0-9\.\-]+\.[a-zA-Z]{2,4})$
This will make sure the first character is either letter or number (no underscore)
-
I think this regex would work best:
(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[@]?[\w0-9]*([.]?[\w0-9])+$
This isnāt perfect, but should be closer to whatās needed.
Essentially, itās looking at the final
[.]?[\w0-9]
and grouping it allowing us to add as many as wanted.Hereās a slightly better version, I think, as it will allow normal usernames or email addresses:
^(?:[\w\d][\w\d _\-]{3,40}|[\w\d.%+\-]+@[\w\d.\-]+\.[\w]{2,4})$
In the above, it will only limit 3-40 characters without email. With email, the skyās the limit. However, as @george1421 stated, the user field is only 40 characters so it would fail if you had anything larger than the field could accept.
-
@fritoss007 Iāve looked into the database bits too and the uName field is 40 characters log (that would store the upn name). So it should be large enough to hold most UPN names.
-
I might have spotted someting in the string Iām usingā¦this is our fqdn : csdufer.qc.ca and Iām using this string :
ā/(?=^.{3,40}$)^[\w][\w0-9][._-]?[\w0-9][.-]?[\w0-9]*[.-]?[\w0-9][@]?[\w0-9][.]?[\w0-9]+$/iā,
should I use this instead ?
ā/(?=^.{3,40}$)^[\w][\w0-9][._-]?[\w0-9][.-]?[\w0-9]*[.-]?[\w0-9][@]?[\w0-9][.]?[\w0-9]*[.]?[\w0-9]+$/iā,
-
@Tom-Elliott said in LDAP authentication with userPrincipalName fill with email address:
Iām more inclined to think thereās an issue before this point (at which logging likely isnāt tracking).
I agree if you donāt know what you are looking for you will never find it.
-
@george1421 Logging has not been removed, so you can easily see if an account is failing to login for some reason. (Not necessarily the why it isnāt logging in).
If itās making it to the LDAP plugin to check authentication, the request will be logged if it fails for any reason.
As itās not making it that far, Iām more inclined to think thereās an issue before this point (at which logging likely isnāt tracking).
-
Unfortunately there is no simple logging you could turn on. Youād need to add you own debug statements in the code to figure out whatās going wrong.
When I worked with Tom on the ldap plugin, I did have some basic messages logged. I know the code has been worked on since then so that debugging code may have been removed.
When we were first testing the mods a few years ago I had it working with the email address. Our focus was on getting the samaccount working with ldap reliably. If I remember right we made the decision to remove any special characters from the uid field because we ran into issues with non-low order ascii characters so Tom created those regex expressions to filter out everything except low order ascii.
One of the things you probably will run into is the UPN address will probably be longer than the field in mysql to hold the user account. I donāt really remember without looking but NT had a 15 character account limit and I bet the database field is pretty close to that. Some UPN names can exceed that length causing a login issue. Beyond the database issue, if the regex expression is updated the UPN name (or email address) should work without issue. You will still need to be mindful that the characters have to be low order ascii because the ldap program doesnāt support double byte characters at all.
-
@fritoss007 Unfortunately there is no simple logging you could turn on. Youād need to add you own debug statements in the code to figure out whatās going wrong.
We might get @george1421 to take a look at this as well. Heās been working on the LDAP plugin code more than I have.
-
I did the change but the system still refuse to authenticate my email based username from userPrincipalName AD attibute. Is there any logs where I can follow whatās going on or maybe I can test the authentication ?
-
@fritoss007 Oh yes, seems like I missed that part, sorry. Comment the check here as well and see if it works: https://github.com/FOGProject/fogproject/blob/master/packages/web/lib/fog/user.class.php#L129
-
@fritoss007 If you make the change on the LDAP side, you will likely need to ensure that change is made wherever itās checked (including the user file as referenced in the post you found.)
-
I tried comment/delete the uername format test without success.
I have found this post and I donāt know if this could be relevante :
https://forums.fogproject.org/post/109449 -
@fritoss007 Yes, seems like the current LDAP plugin implementation does not allow for
@
character in the user name. See code here: https://github.com/FOGProject/fogproject/blob/master/packages/web/lib/plugins/ldap/class/ldap.class.php#L259So you might want to change
/var/www/html/fog/lib/plugins/class/ldap.class.php
on your FOG server and remove or comment those lines from the code. Let us know if it works for you and weāll consider adding that change to the official code base.