Adapting `username` with Typoscript fails

xperseguers / t3ext-ig_ldap_sso_auth

TYPO3 Extension ig_ldap_sso_auth. This extension provides LDAP and SSO support for TYPO3.

https://extensions.typo3.org/extension/ig_ldap_sso_auth

27 stars 62 forks source link

Adapting `username` with Typoscript fails #146

Closed cdaecke closed 1 year ago

cdaecke commented 1 year ago

Like written in the documentation, I would assume, that I get firstname.lastname out of firstname.lastname@domain.local by using the following Typoscript in the LDAP configuration for be_users (field be_users_mapping), but I get an empty value:

username {
    field = userPrincipalName
    split {
        token =@
        cObjNum = 1
        returnKey = 0
        1.current = 1
        1.wrap = |
    }
}

Using the following works:

username {
    field = mail
    split {
        token =@
        cObjNum = 1
        returnKey = 0
        1.current = 1
        1.wrap = |
    }
}

Is there a reason, why I can't use userPrincipalName or is this a bug?

xperseguers commented 1 year ago

The only reason I can think of is that somehow userPrincipalName is not a returned attribute from LDAP. For instance I remember that in some cases (or some LDAP configurations), the attributes are always lowercase.

When using the search wizard, do you confirm you really get a userPrincipalName attribute?

cdaecke commented 1 year ago

You are absolutely right, userprincipalname (all lowercase) is working:

username {
    field = userprincipalname
    split {
        token =@
        cObjNum = 1
        returnKey = 0
        1.current = 1
        1.wrap = |
    }
}

One more question: How do you coop with the limitation of 20 characters in sAMAccountName? I thought, switching to userprincipalname would work and give me the full login name. The above example cuts of the "@domain.local" successfully and saves "firstname.lastname" as username in TYPO3 database, but the login is not working, because in LDAP field be_users_filter it checks against the full userprincipalname, which obviously can't work:

(&(objectCategory=Person)(userprincipalname={USERNAME})(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

PS: Thanks for the hint to the search wizard, I never had a close look on it.

xperseguers commented 1 year ago

If you really want to cut off the username, I guess you should switch the filter so that there is a wildcard (or @*) appended automatically. Did you try?

cdaecke commented 1 year ago

Adding the string, which I cut of helped. So a combination of this filter (be_users_filter):

(&(objectCategory=Person)(userprincipalname={USERNAME}@domain.local)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

and that mapping configuration (be_users_mapping)

username {
    field = userprincipalname
    split {
        token =@
        cObjNum = 1
        returnKey = 0
        1.current = 1
        1.wrap = |
    }
}

works for me.

Thanks for your help and this outstanding extension!