importing AD users cuts off the username

Started by Jhjacobs81, October 12, 2020, 11:03:46 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
January 04, 2021, 08:13:54 PM #15
Let's call it username alias then... it still needs to be a well-defined field (email is the most common) and it must be unique to work and then you also have to prevent overlapping alias and real other user names (uh-oh, easier with email vs. clear username to double-check).

Maybe the group matching can be used to just steer the authentication from a remote LDAP user to a local group with the proper GUI privileges? You still need to set this up locally, but don't have to deal with user imports at all.


Cheers,
Franco
January 05, 2021, 05:20:00 AM #16 Last Edit: January 05, 2021, 08:12:39 AM by Fright
Thank you for your patience. I seem to begin to understand.  :D
So another question: why bother creating a local account ('/usr/sbin/pw  ')  for the ldap-imported user if integrated auth enabled, and not just writing to the config only?
this would remove the OS-restrictions for ldap-accounts?

QuoteMaybe the group matching can be used to just steer the authentication from a remote LDAP user to a local group with the proper GUI privileges? You still need to set this up locally, but don't have to deal with user imports at all.
yes i thought it worked like that when you mentioned it, but LDAP/ACL php-scripts seem to be hardcoded to the user in the config (so authenticated user should be in config to get\sync privileges)
January 05, 2021, 02:39:31 PM #17 Last Edit: January 05, 2021, 02:42:31 PM by Fright
@franco
I quickly tested the idea: added a check for non-empty 'user_dn' before calling local_user_set (dont create local user on ldap import). This works with arbitrary ldap username (userPrincipalName with @domainparts in my case).
groups are synchronized via LDAP after login, privileges sets and user can work with GUI .
so the question remains:what is the purpose of registering ldap-user in the local database ('/usr/sbin/pw  ') and what is the risk of skipping it?
January 05, 2021, 02:44:14 PM #18
That sounds like progress.  :)

The reason is shell access (console or SSH).


Cheers,
Franco
January 05, 2021, 03:09:30 PM #19
logical, thanks!
in this case (with preservation of shell access) this feature requires too complex changes with unclear benefits
I have no more ideas ;D
Print
Go Up Pages 1 2
User actions