Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User uid does not match as it is interpreted case sensistive #406

Closed
mpibpc-mroose opened this issue Mar 5, 2020 · 5 comments
Closed

User uid does not match as it is interpreted case sensistive #406

mpibpc-mroose opened this issue Mar 5, 2020 · 5 comments

Comments

@mpibpc-mroose
Copy link

Given I have my NextCloud configured with LDAP Authentication and want to provide additional SAML authentication provided by KeyCloak. In the default configuration LDAP usese the objectGUID of LDAP as username and stores it uppercase.

KeyCloak on the other side stores that ID in lower case and there seems to be no possibility to deliver that as upper case SAML attribute.

So there is no possibility "to match" users from LDAP and SAML:

image

Is there any possibility to make the UID matching case insensitive?
@blizzz
Copy link
Member

blizzz commented Apr 20, 2020

user IDs are case sensitive in Nextcloud. The SP config has to ensure the matching value is being passed to Nextcloud.

@blizzz blizzz closed this as completed Apr 20, 2020
@tgurr
Copy link

tgurr commented Feb 9, 2021
edited
Loading

@mpibpc-mroose Have you ever been able to find a solution for that? I'm running into the same issue when trying to use Keycloak in combination with Active Directory. I have no attribute not running into the problem with, nothing works due to Nextcloud being case sensitive, UUID, sAMAccountName, userPrincipalName, mail, ...

@tgurr tgurr mentioned this issue Nov 3, 2022
Closed
This was referenced Mar 26, 2024
Open
Closed
@cluck
Copy link

cluck commented Sep 18, 2024

Not exactly pertinent to OP's issue, but sharing the same root limitation: if you're using user_saml to enable Kerberos/NEGOTIATE login, you may find yourself in the position that Nextcloud derives uppercase user_ids from LDAP objectGUID, while the uniqueID retrieved from SSSD via Apache's LookupUserAttr is lowercase.

You'll be able to convert the lowercase uniqueID to uppercase using ProxyFCGISetEnvIf:

<Location "/apps/user_saml/saml/login">
    <IfModule mod_auth_gssapi.c>
       LookupUserAttr uniqueID REMOTE_USER_USERID " "
   </IfModule>
</Location>
ProxyFCGISetEnvIf "toupper(reqenv('REDIRECT_REMOTE_USER_USERID')) =~ m|(.+)|" REDIRECT_REMOTE_USER_USERID_UCASE "$1"

Then you'll need to point user_saml to read REDIRECT_REMOTE_USER_USERID_UCASE as "uid".

Maybe the same can be used to work around nextcloud/server#44486

@Kurg4ch
Copy link

Kurg4ch commented Dec 18, 2024

Hello everyone, has anyone found a solution to this problem?

@tgurr
Copy link

tgurr commented Dec 18, 2024

Hello everyone, has anyone found a solution to this problem?

@Kurg4ch Not a solution but a workaround implemented on the Keycloak side via JavaScript to transform the lowercase item (LDAP_ID/UUID in this case) to uppercase to allow things to match, see keycloak/keycloak#15312 for details. Still having to live with this hack to this date.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tgurr @cluck @blizzz @mpibpc-mroose @Kurg4ch