search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.43k stars 10.01k forks source link

[FR] [Kerberos] [Linux] Add SID Claims under Linux when using kerberos auth. #31959

Open filimonic opened 3 years ago

filimonic commented 3 years ago

ActiveDirectory (Windows) specific claims should be added when using Negotiate Kerberos auth under Linux implementation.

primarysid
primarygroupsid
groupsid
denyonlysid

Under Linux, claims described above are currently received using LDAP. Kerberos has mechanisms to avoid any additional queries to get group SIDs and user SIDs. However, currently under Linux the only claim receivced without using LDAP is name claim.

blowdart commented 3 years ago

Linking these two together for Jun to investigate https://github.com/dotnet/aspnetcore/issues/32037

ghost commented 3 years ago

Thanks for contacting us.

We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

gozhang2 commented 3 years ago

+1 on this request, I am using the Negotiate library in a linux setup as well but by default there is only the name claim available, we have to make additional LDAP query to get the primarysid claim.

BTW can you please share how the name claim is formed? Based on my experiment it is <sAMAccountName>@<domain>, is this correct?

Your help is much appreciated!

JunTaoLuo commented 3 years ago

Yes that is the format we expect for name.

ghost commented 3 years ago

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.