-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP / AD integration is not working correctly when samAccountName differs from UPN and/or email prefix #9186
Comments
cc @nextcloud/ldap |
LDAP config and Nextcloud log are missing, please file them. There are no known issues with multiple login attributes, I would assume some config issue. In the end they are just used to lookup the user's DN to bind against it. |
Well, let me clarify just a bit - unfortunately, I am not a Linux admin (rather a Windows one) and I am not sure I will provide the right logs (and how to do it). The troubleshooting from my side was done mainly via the Windows Server event log, where I found what's described above That's the reason I included that detailed information, so that a Linux guy can reproduce the issue without making (potential) configuration mistakes and see the result on their side. For example, on the DCs security event log, I found out that NC sends to the DC the UPN prefix as a samAccountName; while it should not do that. It should send the whole UPN (john.doe@ncdomain.test). Or, if just doing a lookup, based on the UPN or email NC should lookup the user account, get its samAccountName and use it, alongside with the password provided by the user. And NC definitely does not do it that way, which is the reason the authentication fails (again, as described in the original post). However, if you tell me how to get some logs, I would do it to show the behavior in a more objective way. Well, I will try, at least :) |
Ah, I guess I see what you mean. The %uid placeholder is replaced by whatever the user is putting into the login name field on login. The login attributes are neither parsed nor is anything being done to the user provided login name. |
Hey, this issue has been closed because the label (This is an automated comment from GitMate.io.) |
Steps to reproduce
Expected behaviour
Since the search filter includes both the upn, the samAccountName and mail attributes, when user tries to log on (via login GUI page), NC should log them with either:
This means that, for option 2, NC should strip the domain part and the "" and just use the username as samAccountName. And for options 3 and 4, NC should search for the right user account based on the information provided by the user, then query for either its UPN or samAccountName and use any of those for logging in (sending them to the domain controller). However...
Actual behaviour
...NC just manages to log on the user using option 1, samAccountName only - jdoe and password. The other three options lead to wrong username or password, and the Security event log on the domain controller shows Audit Failure for account, as follows:
Option 2 - NULL SID
Option 3 - john.doe
Option 4 - johnny
It seems that NC strips the domain component from options 3 and 4 and leaves the leftmost part (the prefix before @), trying to use it as the samAccountName attribute. However, because in this setup the attributes samAccountName, UPN prefix and email addresses prefix are NOT the same, logon fails. As for option 2 (domain\username), I don't have any clue what is going under the NC's hood...
Server configuration detail
Operating system: Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64
Webserver: Apache/2.4.18 (Ubuntu) (apache2handler)
Database: mysql 10.2.12
PHP version: 7.0.28-0ubuntu0.16.04.1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, redis, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, imagick, imap, intl, json, ldap, exif, mcrypt, mysqli, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, readline, shmop, SimpleXML, smbclient, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, libsmbclient, Zend OPcache
Nextcloud version: 13.0.1 - 13.0.1.1
Updated from an older Nextcloud/ownCloud or fresh install:
Where did you install Nextcloud from: unknown
Signing status
Array
List of activated apps
Configuration (config/config.php)
Are you using external storage, if yes which one: local/smb/sftp/...
Are you using encryption: no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
LDAP configuration (delete this part if not used)
Client configuration
Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Operating system:
Logs
Browser log
Nextcloud log
Browser log
Insert your browser log here, this could for example include:
The text was updated successfully, but these errors were encountered: