How to allow LDAP lookup via email address as well as samaccountname (AD)

Dave Perry d.perry1 at yorksj.ac.uk
Thu Nov 24 17:34:31 UTC 2022


SOLVED. Thought I'd share the solution.

I looked at the IdP4 Authentication documentation, and it mentioned the authn folder - so I looked in there on the old server, and checked when files had been modified. One had been modified 2 years ago, not 5 - IdP\conf\authn\password-authn-config.xml.

Starting at line 29 (on the 4.2.1 install), I copied over the following bean:parent line from the 4.1.5 config same file:
    <!-- Apply any regular expression replacement pairs to username before validation. -->
    <util:list id="shibboleth.authn.Password.Transforms">
            <!--YSJ - enables user to enter username OR email address -->
            <bean parent="shibboleth.Pair" p:first="^(.+)@yorksj\.ac\.uk$" p:second="$1" />

Tested the change via hosts file, and now the new server will be rolled back in tomorrow (once I've had another user, from the team that raised the issue, test it tomorrow for safety).

This explains why looking for mail and userPrincipalName attribute usage (beyond the resolver file) in the conf folder was futile. I'm not convinced I'd have found that via the documentation (now it's been mentioned to me, it seems a reasonably obvious case, as an example).


Dave
_________________________________________________

Dave Perry
Application Analyst  |  Innovation & Technology Services

York St John University

Lord Mayor’s Walk, York, YO31 7EX
T: +44(0)1904 876 0000
email at yorksj.ac.uk<mailto:email at yorksj.ac.uk>  |  www.yorksj.ac.uk<http://www.yorksj.ac.uk>

[cid:8949970e-3fb0-43ba-a199-c2a23d0b4b76]

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Dave Perry via users <users at shibboleth.net>
Sent: 24 November 2022 13:22
To: Shib Users <users at shibboleth.net>
Cc: Dave Perry <d.perry1 at yorksj.ac.uk>
Subject: Re: How to allow LDAP lookup via email address as well as samaccountname (AD)

Caution: Please take care when clicking on links or opening attachments in emails that originate from outside of the university. When in doubt, contact the ITS service desk.

Peter

Thanks for the initial response.

The config I copied over, does indeed set adAuthenticator at the top - and already has the line 'idp.authn.LDAP.dnFormat = %s at yorksj.ac.uk'.

It's the authentication stage that is failing. If I enter my email address as the username, I specifically get a password error.

Thanks
Dave
_________________________________________________

Dave Perry
Application Analyst  |  Innovation & Technology Services

York St John University

Lord Mayor’s Walk, York, YO31 7EX
T: +44(0)1904 876 0000
email at yorksj.ac.uk<mailto:email at yorksj.ac.uk>  |  www.yorksj.ac.uk<http://www.yorksj.ac.uk>

[cid:0c348a8d-a53d-4389-aa10-d0dc44c626d1]

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Peter Schober via users <users at shibboleth.net>
Sent: 24 November 2022 12:36
To: users at shibboleth.net <users at shibboleth.net>
Cc: Peter Schober <peter.schober at univie.ac.at>
Subject: Re: How to allow LDAP lookup via email address as well as samaccountname (AD)

Caution: Please take care when clicking on links or opening attachments in emails that originate from outside of the university. When in doubt, contact the ITS service desk.


* Dave Perry via users <users at shibboleth.net> [2022-11-24 12:45]:
> Looking at the old ldap.properties file (which was pasted in over
> the stock 4.2.1.1 installed one) [...]

So you did a "fresh" install of the current software and are now
trying to make it behave as before by copying back some of the config
files?  At least I can't see why copying over the old config over the
"stock" one would have been necesssary otherwise.

> the LDAP filter:
> idp.authn.LDAP.userFilter= (sAMAccountName={user})
>
> No mention of UPN, or mail, in that file.
>
> I tried the following filter rule, to no avail (it didn't stop samaccountname logins working, just didn't pick up the email address ones):
> idp.authn.LDAP.userFilter= (| (sAMAccountName={user}) (userPrincipalName={user}) )

The first thing you'd need to decide (or determine) is what
"authenticator strategy" to use (or is configured). Since your LDAP
server implementation is M$-AD that (idp.authn.LDAP.authenticator =
adAuthenticator) would be an obvious choice.

That then determines whether the idp.authn.LDAP.userFilter setting is
even used at all. With the adAuthenticator it's /not/ used for
authentication, that instead relies on a M$-proprietary extension
using direct lookups configured with the idp.authn.LDAP.dnFormat (note
the comments above all of thesesettings), e.g.

idp.authn.LDAP.dnFormat = %s at yorksj.ac.uk  # your domain

Note that depending on your LDAP DataConnector configuration you may
still need to configure an LDAP search filter in the property
"idp.attribute.resolver.LDAP.searchFilter" (a bit further below in
your ldap.properties). That's about attribute lookups and not
authentication and so needs to be set correctly even using the
adAuthenticator, e.g.:
idp.attribute.resolver.LDAP.searchFilter = (|(sAMAccountName=$resolutionContext.principal)(userPrincipalName=$resolutionContext.principal))

HTH,
-peter
--
For Consortium Member technical support, see https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7Cd.perry1%40yorksj.ac.uk%7Cd17076e2fc204f4fa8b908dace188cab%7C5c8ae38ef85b4309b7ec862815a37aee%7C0%7C0%7C638048902071881728%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HBoMoScKzjsxrFbn4rWqJXnChPAxtGAu5Jx8R%2FsdAA4%3D&reserved=0<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7Cd.perry1%40yorksj.ac.uk%7C5d776fb7de49461d4b4408dace1f057a%7C5c8ae38ef85b4309b7ec862815a37aee%7C0%7C0%7C638048929869697495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=msVTwwatWf6q9w3Iez7jzM3hZbpBRbfOR9tE7izFSVs%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221124/deeb404a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-1jsszvd5.png
Type: image/png
Size: 12155 bytes
Desc: Outlook-1jsszvd5.png
URL: <http://shibboleth.net/pipermail/users/attachments/20221124/deeb404a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-r4oifjab.png
Type: image/png
Size: 12155 bytes
Desc: Outlook-r4oifjab.png
URL: <http://shibboleth.net/pipermail/users/attachments/20221124/deeb404a/attachment-0001.png>


More information about the users mailing list