Open flotpg opened 5 years ago
There seems to be something in user_ldap which could help: https://github.com/nextcloud/server/issues/7299
There is a function sanitizeDN($dn) in Helper.php of apps/user_ldap/lib. This function processes DNs got from LDAP and makes them low-case: $dn = mb_strtolower($dn, 'UTF-8');
This only sanitizes DN but not the attributes I use: We chose UPN here to match exactly the name submitted by Azure AD via SAML:
@flotpg Are you connecting your Nextcloud with the Azure Active Directory Domain Service to the Azure AD with LDAP? Or do you have a seperate AD running, which is synchronizing? We are struggeling with the right setup here and you seem to have achieved it 😉 Looking forward to your response. Best, erosinger
@flotpg Are you connecting your Nextcloud with the Azure Active Directory Domain Service to the Azure AD with LDAP? Or do you have a seperate AD running, which is synchronizing? We are struggeling with the right setup here and you seem to have achieved it 😉 Looking forward to your response. Best, erosinger
Hey erosinger,
We have a setup like this:
LDAP Configuration:
SAML Configuration:
Azure Enterprise Application:
I struggled a lot with duplicates, not matching users, etc. (User not provisioned, etc.). You must ensure that the values submitted by Azure/SAML always match your local AD/LDAP. Your next enenmy: upper case / lower case :) Sanitizing all users/UPNs to lower case is easy via the User Attributes & Claims settings in Azure. The problem are probably your LDAP UPNs, if they are upper case and Azure is lower case it will not match!
I achieved this by converting all UPNs in ActiveDirectory to lowercase:
` Import-Module ActiveDirectory $arrac = get-aduser -filter * -property SamAccountName, emailaddress, UserPrincipalName -SearchBase "OU=TestAccounts,DC=AD-Domain,DC=local"
foreach($user in $arrac) {
If ($user.UserPrincipalName -ne $null)
{
$sam = $user.SamAccountName
$UserPrincipalName = $user.UserPrincipalName.Tolower()
#Set-ADUser -identity "$sam" -UserPrincipalName $UserPrincipalName
}
} `
Where are you based? If you need more consulting / remote assistance setting this up we could arrange a remote session... Regards, Flo.
Hi @flotpg, thank you very much for this awesome explanation. This clarifies a lot and we will try to adopt your approach for our scenario, because to date it seems to be the only feasable way for a good integration ... We would love to work together with you on this 👍 I´ve pinged you on LinkendIn and am looking forward to get in touch.
FYI: In regards of you privacy, I want to make you aware that your full name can be seen in one of the screenshots 😉
Hi @flotpg, thank you very much for this awesome explanation. This clarifies a lot and we will try to adopt your approach for our scenario, because to date it seems to be the only feasable way for a good integration ... We would love to work together with you on this 👍 I´ve pinged you on LinkendIn and am looking forward to get in touch.
FYI: In regards of you privacy, I want to make you aware that your full name can be seen in one of the screenshots 😉
haha, thx for the hint ;)
Is someone working on this?
Steps to reproduce
Expected behaviour
Login with lowercase username should be possible
Actual behaviour
Server configuration
Operating system: Ubuntu 18.04
Web server: Apache2
Database: MySQL
PHP version: PHP7.3 or PHP7.2
Nextcloud version: 15.0.0
List of activated apps:
Nextcloud configuration:
Any idea how I can avoid renaming all AD accounts to lowercase? Disabling Azure AD conversion of usernames to lowercase is not an option, because it also fails if in AzureAD the name is UserName and in LDAP the name username.... So there must be away to make SAML Plugin backend checks none-case sensitive.