OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 20.7 Legacy Series »
  • importing AD users cuts off the username
« previous next »
  • Print
Pages: 1 [2]

Author Topic: importing AD users cuts off the username  (Read 4930 times)

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: importing AD users cuts off the username
« Reply #15 on: January 04, 2021, 08:13:54 pm »
Let's call it username alias then... it still needs to be a well-defined field (email is the most common) and it must be unique to work and then you also have to prevent overlapping alias and real other user names (uh-oh, easier with email vs. clear username to double-check).

Maybe the group matching can be used to just steer the authentication from a remote LDAP user to a local group with the proper GUI privileges? You still need to set this up locally, but don't have to deal with user imports at all.


Cheers,
Franco
Logged

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: importing AD users cuts off the username
« Reply #16 on: January 05, 2021, 05:20:00 am »
Thank you for your patience. I seem to begin to understand.  :D
So another question: why bother creating a local account ('/usr/sbin/pw  ')  for the ldap-imported user if integrated auth enabled, and not just writing to the config only?
this would remove the OS-restrictions for ldap-accounts?

Quote
Maybe the group matching can be used to just steer the authentication from a remote LDAP user to a local group with the proper GUI privileges? You still need to set this up locally, but don't have to deal with user imports at all.
yes i thought it worked like that when you mentioned it, but LDAP/ACL php-scripts seem to be hardcoded to the user in the config (so authenticated user should be in config to get\sync privileges)
« Last Edit: January 05, 2021, 08:12:39 am by Fright »
Logged

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: importing AD users cuts off the username
« Reply #17 on: January 05, 2021, 02:39:31 pm »
@franco
I quickly tested the idea: added a check for non-empty 'user_dn' before calling local_user_set (dont create local user on ldap import). This works with arbitrary ldap username (userPrincipalName with @domainparts in my case).
groups are synchronized via LDAP after login, privileges sets and user can work with GUI .
so the question remains:what is the purpose of registering ldap-user in the local database ('/usr/sbin/pw  ') and what is the risk of skipping it?
« Last Edit: January 05, 2021, 02:42:31 pm by Fright »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: importing AD users cuts off the username
« Reply #18 on: January 05, 2021, 02:44:14 pm »
That sounds like progress.  :)

The reason is shell access (console or SSH).


Cheers,
Franco
Logged

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: importing AD users cuts off the username
« Reply #19 on: January 05, 2021, 03:09:30 pm »
logical, thanks!
in this case (with preservation of shell access) this feature requires too complex changes with unclear benefits
I have no more ideas ;D
Logged
  • Print
Pages: 1 [2]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 20.7 Legacy Series »
  • importing AD users cuts off the username
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2