How to allow LDAP lookup via email address as well as samaccountname (AD)
Dave Perry
d.perry1 at yorksj.ac.uk
Thu Nov 24 11:45:09 UTC 2022
Hi all
We finally rolled in the 4.2.1.1 server, with the old 4.1.5 config plus some tweaks to Attribute Resolver, yesterday (it was using attribute registry AND the dataconnector, so that was corrected).
This was done as part of migrating to the latest version of Windows Server (the old one is on 2012R2, which needs to be migrated off asap).
There is one feature, which was not tested on the new one by one of the teams who knew it was there on the old service - and is now not working:
When entering a username for AD authentication, the old one would check against their regular username attribute AND their email address.
Looking at the old ldap.properties file (which was pasted in over the stock 4.2.1.1 installed one), it only mentions sAMAccountName in the LDAP filter:
idp.authn.LDAP.userFilter= (sAMAccountName={user})
No mention of UPN, or mail, in that file.
I tried the following filter rule, to no avail (it didn't stop samaccountname logins working, just didn't pick up the email address ones):
idp.authn.LDAP.userFilter= (| (sAMAccountName={user}) (userPrincipalName={user}) )
Any ideas what I'm doing wrong? Or why it stopped working between a 4.1.5 and 4.2.1.1.
Thanks
Dave
_________________________________________________
Dave Perry
Application Analyst | Innovation & Technology Services
York St John University
Lord Mayor’s Walk, York, YO31 7EX
T: +44(0)1904 876 0000
email at yorksj.ac.uk<mailto:email at yorksj.ac.uk> | www.yorksj.ac.uk<http://www.yorksj.ac.uk>
[cid:3c39963e-6e5a-4b16-b2a4-eb2025bc6da9]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221124/50f04166/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-2dhocaak.png
Type: image/png
Size: 12155 bytes
Desc: Outlook-2dhocaak.png
URL: <http://shibboleth.net/pipermail/users/attachments/20221124/50f04166/attachment.png>
More information about the users
mailing list