LDAP-User created with uid


#1

When I configure the LDAP authentication (openldap) in ownCloud 10.0.2, users from the LDAP can login to owncloud but obviously the username of the internally created user is alwas the objectGUID/UID in the LDAP.

This clashes with the 2FA API, since the 2FA API uses this strange username to do the second authentication step.
This makes no sense:

  1. the user logs in with the username "cornelius" but
  2. ownCLoud internally uses "3c2e5e7c-[...]-25041a53d812".
  3. This UID is also passed to the 2FA API,
  4. Which especially will fail with privacyIDEA, since this is no valid username in the 2FA system.

Am I missing something here?
Can I manage to create a username with the actual "cn", "givenName" or "sAMAccountName"?

Thanks a lot
Cornelius


#2

In the LDAP configuration you can change the internal username in the expert tab. You might need to clear the mappings.

There are several things you must know before changing this:

  • Changing the attribute isn't supported once the system starts rolling. DO NOT change it in production.
  • You might need to clear the stored mappings. Again DO NOT clear them in production since all the data associated to those users will be lost
  • It's your responsability to keep the attribute unique in the whole system. The object uuid is usually used for that. Expect issues if this isn't respected.

I don't know what options the 2FA system has, but I'd recommend to check them and try to solve it from there. We're recommending to use the default uid (objectuid) because it's guaranteed to be unique and give less issues.


#3

Thanks a lot!
I did not see this. The expert tab is on the far right :wink:

OK, but what sill puzzles me, the user still logs in with "cornelius" and internally it is mapped to the UUID.
The UUID is the "internal user".

So what is the loginname "cornelius" called?

This might result in a problem with the 2FA API, which gets the parameter IUser $user.

Usually the 2FA provider would use

$user->getUID()

to pass the loginname to the auth system. Because the auth system also handles login names.

Looking at private/User/Account.php I do not see, which attribute or member function would return actually the login name of the user.
If you or @deepdiver1975 could shed some light how to retrieve the login name from the IUser object, this would be great!


#4

I think that's controlled by the login filter, which is set to use the uid by default

(&(&(|(objectclass=inetOrgPerson)))(uid=%uid))

You can login with the mail for example

(&(&(|(objectclass=inetOrgPerson)))(mail=%uid))

The internal username (set in the expert tab) should be what the $user->getUID() should be fetching. I guess you'll need to match both whatever you set in the expert tab and whatever you'll use as login filter.


#5

Thanks a lot. I test this later.


#6

I realized, it works like expected when I set the Internal Username Attribute on the expert tab to samaccountname.

THanks for all the input!