LDAP uses Attribute cn or displayName but should be changeable to sAMAccountName

[devNull2and1]

As title says, got LDAP working, can login but only with Attribute cn / displayName. I did many ldap integrations with other software. Where can i configre that he take always Attribute sAMAccountName. How can i map this?

[devNull2and1]

@rustdesk please give me a hint 🔢

[rustdesk]

@fufesou please check if it is doable.

[fufesou]

@devNull2and1 Hi, thanks for your feedback.

We do not use sAMAccountName in the previous version.

But I just did a search and find that sAMAccountName is more suitable as a username. The next version will give priority to using this attribute as the username.

[devNull2and1]

hello @fufesou thx for reply. would be nice to configure it with a dropdown or just a text field from the webui. some customers maybe prefer mail or userPrincipalName or even givenName for login. We decided to take sAMAccountName cause it is the same way they login every morning when they start their pc's.

I have to wait till you release it but i would like to give them the gui to manage devices right now. Can i change it myself somewehre? Which container i have to mount, Which file i have to edit?

[rustdesk]

Agree, @fufesou make it configurable. cn as default.

[rustdesk]

givenName / userPrincipalName are unqiue? and email.

[fufesou]

I have to wait till you release it but i would like to give them the gui to manage devices right now. Can i change it myself somewehre? Which container i have to mount, Which file i have to edit?

Sorry, there's no configuration about it for now. You have to wait. I'll do it as soon as possible.

[devNull2and1]

@rustdesk I don't know exactly. this is microsoft active directory. givenName is the first name of a person and sn ist the last name. sAMAccountName and userPrincipalName should be unique cause userPrincipalName always is user.name@company.domain and sAMAccountName is always first part of userPrincipalNamebefore @.

[devNull2and1]

I'm surprised that no one has asked about this yet...

[devNull2and1]

I have to wait till you release it but i would like to give them the gui to manage devices right now. Can i change it myself somewehre? Which container i have to mount, Which file i have to edit?

Sorry, there's no configuration about it for now. You have to wait. I'll do it as soon as possible.

Ohhhh, okay, then i wait. Thank you for reply.

[willosof]

Yeah. This.

From other software - in the main LDAP config section it looks like this:

This covers the edge cases in this original topic for most people, so they can customize the fields used from LDAP.

On multiple other softwares I use LDAP for, I also have a per group query filter like this:

(&(objectClass=Person)(memberOf:1.2.840.113556.1.4.1941:=CN=TheSecurityGroup,OU=Security Groups,DC=my,DC=activedirectory,DC=com))

This is some active directory secret sauce to recursively search for group access, when we have groups that have other groups as members, to cascade access within departments/organisations etc easier.

This could easily be just (memberOf:CN=TheSecurityGroup,OU=Security Groups,DC=my,DC=activedirectory,DC=com) as well, but then it wouldn't be recursive, something that makes this whole thing very, very nice.

And for the individual group filters; Optimally, if all

• Groups
• Strategies
• Source computers (not that important)
• Destination computers (not that important)

.. had an optional LDAP search filter, the entire access management could be handled and administered by the LDAP server.

So, if security group names in LDAP/AD looks like:

• ORG1-ADMIN (member of group ORG1-CLIENT)
• ORG1-CLIENT
• ORG1-ADMIN (member of group ORG2-CLIENT)
• ORG1-CLIENT
• DA-RUST-ADMIN (member of ORG1-ADMIN, ORG2-ADMIN)

Me as as a DA-RUST-ADMIN member could log into all ORG1 and ORG2 Users as ORG1-CLIENT member could only log in and be controlled by ORG1-ADMIN users Users as ORG2-ADMIN member could log in and control devices logged in with ORG2-CLIENT users.

The users within the resources you don't have access to, should be completely hidden from the client applications. And optimally be refreshed from server within a admin-specified interval.

Sorry to just throw this at you like this, but it's something that would make my life SO much easier, and would be my tipping point for buying probably mutiple top tier licenses. (I have access to one today to review it)

Context; One LDAP for 15 companies, 200 employees, 2000 users (freelancers and clients), 100 security groups, some users are employed by us, some are also our clients, and some users work in multiple companies. LDAP solves this easily, and the users+groups are being administered by the different companies from a separate system. Most importantly, admins/clients for ORG1 should NEVER see anything at all about ORG2 when they log in.)

NB: I see some holes in my theory - but in strategies alone, filters would be a REALLY good start.

Lastly I would like to thank you all for the work you do to challenge the expensive alternatives out there!

[rustdesk]

Your username is set to "mforstner" because you have set the "Username attribute" to "sAMAccountName".

You may need to change it to another attribute.

@MichaelF25 ignore this, this is our stupid bug.

[devNull2and1]

@fufesou @rustdesk i updated to 1.1.11 and changed Username attribute to sAMAccountName or Bind sAMAccountName i also get I/O error: User Not found that means bind is not working. Fallback Bind CN is working.

I opened that issue, watch my Issue and screenshot at the top. Login with Max Mustermann work. Login with max.mustermann do not work.

So, i can confirm, sAMAccountName still not possible!

[rustdesk]

@devNull2and1 sorry for this. @fufesou understood the issue wrong, had a wrong fix.

[devNull2and1]

No Problem. Nice to see that you work on Issues 👍

[devNull2and1]

@MichaelF25 In your the other LDAP integrations, can both "mforstner" and "Michael Forstner" log in?

you did not ask me but we have other ldap integrations like icewarp, gitea, forgejo, jira, bitbucket, sonciwall, sophos, pfsense, opnsense, openvpn i can continue with much more :) ....we can use sAMAccountName everywhere and login with max.mustermann

[rustdesk]

@devNull2and1 do you mean both names work? you can use "mforstner" (sAMAccountName) to log in, you can also use "Michael Forstner" (binddn name) to log in.

[devNull2and1]

@rustdesk on most other integrations:

• when i choose attribute sAMAccountName then only max.mustermann works
• when i choose attribute cn only max mustermann works without dot.
• when i choose attribute sn only mustermann works.
• when i choose attribute principalName only max.mustermann@domain.com works.

[devNull2and1]

@rustdesk not case sensitive. with attribute cn i can login with max mustermann and with Max Mustermann i think it is in cause of microdoofy windoofy. not case sensitiv thingy

[rustdesk]

The fix is pushed to latest docker, https://hub.docker.com/r/rustdesk/rustdesk-server-pro/tags

[devNull2and1]

Thank you. Login is working now with max.mustermann when i choose user attribute sAMAccountName.

[jbarciat]

Hello, As we have been discussing via email, I'm posting it here:

I have been following docs and that issue but haven't been able to make it work. I have tried using cn, dn, sAMAccountName, and userPrincipalName as the username attribute, but it doesn't work. It keeps returning the same I/O error: User not found. I have also been testing with ldapsearch to verify that the attributes are correct, and they indeed are. I’m attaching some screenshots of my configuration in the RustDesk console, the ldapsearch results, and the error I get when trying to log in. Thank you very much for your help.

RustDesk Console:

Ldapsearch:

Log In error:

[fufesou]

@jbarciat Hi, how about removing the filter?

[jbarciat]

@jbarciat Hi, how about removing the filter?

The problem was the filter. I changed to (&(objectClass=user)(memberOf=CN=RUSTDESK,CN=Users,DC=,DC=local)) and now I can log in with AD user.

Thanks