[ZendTo] alternate AD attribute

Jules Field Jules at Zend.To
Fri May 3 09:20:00 BST 2019 

Travis,

On 02/05/2019 20:00, Travis Zimmerman wrote:
> Username, but it looks like it’s more complicated. I just got out of a 
> meeting and one of the AD admins gave me several examples of student 
> attribute listing. Looking at the attributes and their values there 
> isn’t actually a specific username, there is a unique identifier by 
> way of an ID number; and then there are several different attributes 
> with the student’s e-mail address.
>
> So I think for right now I may have to hack together a fix for my 
> specific problem and then talk to you about a possible way to 
> incorporate it into the code in a more general way that may be useful 
> for others. 🤷‍♂️
That sounds like a good idea. :)
>
> If I’m reading the NSSADAuthenticator.php correctly, you compare their 
> username against “sAMAccountName” but before you do that if someone 
> logged in with an e-mail address, you remove the @domain part.
> I don’t suppose the @domain that gets chopped off is stored in a 
> variable that I could use for comparisons to force a different search 
> using the full e-mail address against a different attribute? If not 
> I’ll work out something.
I chop off the domain part, as a lot of people (certainly here!) will 
tend to type in their whole username at domain.com address rather than just 
their username. Entering the whole of username at domain.com is needed for 
things like Eduroam Wifi (as Eduroam can't authenticate you if it 
doesn't know what Uni you belong to). And with AD-based logins, 
username at domain.com is usually equivalent to DOMAIN\username. So that 
usually works okay too.

I don't think it gets stored anywhere at the moment.

However, the easiest thing for you to do is probably write your own 
authenticator module. Call it something like 
"NSSTravisAuthenticator.php" and then you can refer to it in 
preferences.php as an authenticator called "Travis".
There are only 2 calls you need to implement. 1 that checks for a valid 
username and 1 that checks a username/password pair and retrieves info 
about the user. Get the information you need from wherever you want it, 
and put it into the same members of the class as the other 
authenticators do, and it will work.

Take a look at the NSSLocalAuthenticator.php to see the structure in a 
fairly simple way (NSSStaticAuthenticator.php is the trivial case but 
doesn't tell you much), then see how that maps onto 
NSSADAuthenticator.php. The LDAP authenticator is almost identical to 
the AD one, but is much simpler as it only supports one "forest".

For the preferences.php settings for your authenticator, just make sure 
you don't use any names I've already used.

Then even the "upgrade" and "upgrade_preferences_php" will perfectly 
happily handle your new authenticator module.

That way you aren't changing any of the existing code (as far as 
rpm/dpkg/apt/yum are concerned), you are just adding a whole new file. 
The package managers will leave that alone.

Hope that helps,
Jules.


>
> Again thanks for any help you can provide.
>
> ------------------------------------------------------
> Travis Zimmermantzimmerman at fsu.edu <mailto:tzimmerman at fsu.edu>850-645-8030
> Linux Enterprise Applications & Systemsits-linuxadmins at fsu.edu 
> <mailto:its-linuxadmins at fsu.edu>
> Information Technology Services, Florida State University
>
>> On Apr 30, 2019, at 4:46 AM, Jules Field <Jules at Zend.To 
>> <mailto:Jules at Zend.To>> wrote:
>>
>> Travis,
>>
>> Do you mean an alternate attribute for the username, or an alternate 
>> attribute from which to read the user's email address?
>> I'm rather assuming the latter, but may be wrong...
>>
>> Currently it reads the user's email address from the "mail" attribute 
>> in AD; is it the string "mail" that you want to be able to change for 
>> a particular AD forest?
>>
>> Cheers,
>> Jules.
>>
>> On 29/04/2019 19:44, Travis Zimmerman via ZendTo wrote:
>>> Would it be possible to add a variable to the AD auth config to use 
>>> an alternate attribute for the username?
>>> Something like:‘authLDAPAltAttr’     =>    ‘preferredEmail’,
>>>
>>> Our Microsoft sysadmins had to setup a different AD for students on 
>>> a different domain (my.fsu.edu <http://my.fsu.edu/>) from the one 
>>> used by faculty and staff (fsu.edu <http://fsu.edu/>). For some 
>>> reason at the time they had to store the student e-mail address in a 
>>> different attribute than the standard attribute, in the normal 
>>> attribute they are storing a student ID number.
>>>
>>> Up until now I worked around this problem by using the IMAP 
>>> authentication, not as nice as AD but it did the job to allow 
>>> students to authenticate in, receive e-mail from the ZendTo server, 
>>> and view drop-offs for them in their Inbox.
>>>
>>> We got a new CIO at my university about a month ago and it has been 
>>> decided to shutdown IMAP and SMTP completely, in favor of MAPI with 
>>> MFA only. I found out that this change was being talked about last 
>>> week, upper management came to a decision last Friday and plan to go 
>>> ahead with this change starting next week.
>>>
>>> I appreciate all the work you’ve put into ZendTo over the years.
>>>
>>> ------------------------------------------------------
>>> Travis Zimmermantzimmerman at fsu.edu 
>>> <mailto:tzimmerman at fsu.edu>850-645-8030
>>> Linux Enterprise Applications & Systemsits-linuxadmins at fsu.edu 
>>> <mailto:its-linuxadmins at fsu.edu>
>>> Information Technology Services, Florida State University
>>>
>>>
>>> _______________________________________________
>>> ZendTo mailing list
>>> ZendTo at zend.to
>>> http://jul.es/mailman/listinfo/zendto
>>
>> Jules
>>
>> -- 
>> Julian Field MEng CEng CITP MBCS MIEEE MACM
>>
>> 'What happened in the past that was painful, has a great deal to
>>   do with what we are today.' - William Glasser
>>
>> www.Zend.To
>> Twitter: @JulesFM
>

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'No more impressive warning can be given to those who would confine
  knowledge and rsearch to what is apparently useful, than the
  reflection that conic sections were studied for eighteen hundred
  years merely as an abstract science, without regard to any utility
  other than to satisfy the craving for knowledge on the part of
  mathematicians, and that then at the end of this long period of
  abstract study, they were found to be the necessary key with which
  to attain the knowledge of the most important laws of nature.'
  - Alfred North Whitehead

www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20190503/768c1dc4/attachment.html>

More information about the ZendTo mailing list