search

himmelblau-idm / himmelblau

Azure Entra ID Authentication, with PAM and NSS modules.
GNU General Public License v3.0
34 stars 7 forks source link

Ability to use a different object or change the UPN for username #179

Open tastle73 opened 1 week ago

tastle73 commented 1 week ago

This is probably an ER.

I would like to be able to use something other than the user@domain for the username. Is this possible?

dmulder commented 1 week ago

I think Entra ID requires the upn (user@domain) for authentication. I was considering mapping this to the cn though (so that you could leave off the @domain part). Is this what you're interested in?

tastle73 commented 1 week ago

That would work. I have also seen SAML registered apps allow for the UPN to be munged from the AAD side.

dmulder commented 1 week ago

This shouldn't be too difficult to add. It would get tricky FYI if you have multiple configured domains, because then we'd pick the first matching user. For example, if you have 2 domains example.com and test.com configured, then a user with the UPN tux in each domain (tux@example.com and tux@test.com), then we'd have to just pick the first user in the domain list.

tastle73 commented 1 week ago

Now that I think of it, that won't work for our use case. I need to be able to distinguish the AAD users from the local users and prevent username collisions. What would probably be useful is a parser where I could use the cn + another string like ABCtom for example.

dmulder commented 1 week ago

Himmelblau filters out local account names and ignores them. As long as the CNs don't collide with local account names, it would be fine.

tastle73 commented 1 week ago

They will collide. A lot of our usernames are not very unique

dmulder commented 1 week ago

Are the users related? Can we map the local user to an Entra Id user?

tastle73 commented 1 week ago

no, not at all.

dmulder commented 1 week ago

Hrm, maybe I could introduce a filter option, which matches ABCtom then translates it to tom@abc.com, etc.

tastle73 commented 1 week ago

that would definitely work for us :)

dmulder commented 1 week ago

I think I'm going to provide a script option, where you can provide a custom script that modifies the username as you wish.

tastle73 commented 1 week ago

let me know if you need someone to test

dmulder commented 1 week ago

Ok, I'll probably have something for you to try today.

dmulder commented 1 week ago

Hrm, I forgot that this could effect the user cache. This may take me a bit to sort out.