change or remove prefix for usersnames groups

[xundeenergie]

Hi! I tried social login via openid and keycloak. So i have to set a name for the authenticator, which is used as prefix for usernames and groups.

I get the groups via mapping in keycloak to be used in nextcloud. So the groups in nextcloud are named other than in my ldap (datasource for keycloak).

And if i use different custom authenticators with this plugin (my nextcloud is reachable via 2 domains, both use the same ldap-source) my groups are double, but with different prefixes...

Is it possible, to make the prefix optional? A checkbox in the provider-config "Do not use prefix"

Also the username is prefixed. I understand, why you add this. But change from local login to openid-login does not work. it is a new user.

And is it possible, to map another criteria from the token as username? The other Openid-Plugin for Nextcloud can do this mapping via serverside configuration. I have a managed nextcloud, and no possibility to use this plugin.

[zorn-v]

Is it possible, to make the prefix optional? A checkbox in the provider-config "Do not use prefix"

No. OAuth is not trusted source, and something like "admin" can arrive from there. All users in group "admin" is admins in nextcloud by the way.

Same for login/email/whatever

The other Openid-Plugin for Nextcloud can do this

So use it, no ?

[xundeenergie]

I told you... this is a managed service, i have no server-access.

On the other nextcloud-server, i use, i have server-access.

I mean, let the admin choose for each authenticator, i it is a trusted source, then i can let the prefix away... if it is not a trusted service, usernames and groups have a prefix.

[zorn-v]

I mean, let the admin choose for each authenticator, i it is a trusted source

Most "admins" configure as "internet says" Does not sutisfy - you are welcome to use another plugin.

[xundeenergie]

I'm not able, to use another Plugin. I found two. This and one i can configure serverside.

On the on instance of nextcloud i have no server-access. It is a managed service. So i have to use this plugin...

[zorn-v]

So, adapt you needs to plugin requirements then.

[xundeenergie]

Oh...

No.

I'm the admin from my keycloak-instance. Therefore THIS source for authentication is save.

Let the admin choose, which authenticator is save, and which not. Please.

Make a Choosbox for every custom Authenticator, and give an advice next to the checkbox.

Please.

You can use Openid and ldap together. Openid for authentication, ldap for profile-informations and groups. With prefixed group- and usernames, you break this workflow.

[zorn-v]

Other users find a way. You ask to **ck security just for your needs.

[xundeenergie]

Yes. I ask for "give me as admin of my keycloak the possibility to use my keycloak for authentication in nextcloud, not breaking user- and groupnames" and other openid-providers could stay as now...

I ask you for "give me the possibility" not for "do it for all". Just "please let ME choose".

It is MY keycloak under MY control. I i lose control over my keycloak, it is a problem... then all other is also fucked up...

[xundeenergie]

You break the possibility to authenticate via openid AND get user-infos via ldap.

Do you think, ldap is also a security-risc? Every external authentication-source is a security-risc?

Please tell my, why is a selfhostet keycloak as openid-connect provider more security-risk than a selfhosted ldap or a selfhosted nextcloud?

[zorn-v]

LDAP is not my responsibility.

Please tell my, why is a selfhostet

Because I do not know selfhosed it or not. And no, "admins" should not change it if it critical.

[zorn-v]

You break the possibility to authenticate via openid AND get user-infos via ldap.

Well, Okay. I know at start that will be requests like "give-me-full-access-to-everything". If you want - just fork. If you cant - sorry.

[xundeenergie]

Please. Don't be rude.

I tell you the situation here. And you will sit on my face...

There is a managed nextcloud. 5€ for 1TB space. It's hetzner, if you know. I have my own Nextcloud at a hetzner vserver. It is too expensive to resize the space to this size i can get for 5€, but managed.

I know, LDAP is not your job. But Nextcloud allows you to make authentification via keycloak but get users informations (CN, Avatar-Picture, Phone-Number... and so on) via LDAP.

And, maybe you do not understand, what i want...

Not to select every OpenID-Connect-Provider or no... just give the admin the possibility to allow ONE, the own one, OpenID-Connect-Provider, to create groups and usernames without prefix.

But i see. You are not willing to do this.

Thank you for nothing.

[mohsensaeedi]

This is required for us too. Everyone with LDAP and self hosted nextcloud need to have users without any prefix. This feature is implemented on SAML2 plugin. I think it is better to have option to create users without prefix, if user is not exist. It prevents to accidentally create admin user for example.

For this missing feature, i'm force to switch SAML2 plugin.

Thanks

[Keyinator]

While I appreciate the concern here, the option to remove the prefix would only be changeable by an admin itself so I don't see any security risks. Another thing to note is that some don't use it for discord, gitlab, etc. but just for an internal auth-provider (like authentik) and have full control over the shared usernames.

[dleonarski]

Being aware that this may not be the most elegant solution, I suggest you consider the following trick inside the custom_apps/user_saml/lib/SAMLSettings.php (around the line #80):

// public const DEFAULT_GROUPPREFIX = 'SAML'; public const DEFAULT_GROUP_PREFIX = '';

Also, in certain circumstances, "php occ group:delete SAML_admin" may be required.

After that SAML's 'admin' group becomes NC's built in 'admin' group :-) In other words, all SAML2 members od SAML 'admin' group become members of NC's native 'admin' group.