<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Travis,<br>
<br>
<div class="moz-cite-prefix">On 02/05/2019 20:00, Travis Zimmerman
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:WM!f017aadf46d5937b7f9ff5adc63e3e628a33e6edb2acc4eb89547b27871de47194b07913198c6dfec0260e6ed3f99ea3!@mx.jul.es">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Username, but it looks like it’s more complicated. I just got out
of a meeting and one of the AD admins gave me several examples of
student attribute listing. Looking at the attributes and their
values there isn’t actually a specific username, there is a unique
identifier by way of an ID number; and then there are several
different attributes with the student’s e-mail address.
<div class=""><br class="">
</div>
<div class="">So I think for right now I may have to hack together
a fix for my specific problem and then talk to you about a
possible way to incorporate it into the code in a more general
way that may be useful for others. 🤷♂️</div>
</blockquote>
That sounds like a good idea. :)<br>
<blockquote type="cite"
cite="mid:WM!f017aadf46d5937b7f9ff5adc63e3e628a33e6edb2acc4eb89547b27871de47194b07913198c6dfec0260e6ed3f99ea3!@mx.jul.es">
<div class=""><br class="">
</div>
<div class="">If I’m reading the NSSADAuthenticator.php correctly,
you compare their username against “sAMAccountName” but before
you do that if someone logged in with an e-mail address, you
remove the @domain part.</div>
<div class="">I don’t suppose the @domain that gets chopped off is
stored in a variable that I could use for comparisons to force a
different search using the full e-mail address against a
different attribute? If not I’ll work out something.</div>
</blockquote>
I chop off the domain part, as a lot of people (certainly here!)
will tend to type in their whole <a class="moz-txt-link-abbreviated" href="mailto:username@domain.com">username@domain.com</a> address rather
than just their username. Entering the whole of <a class="moz-txt-link-abbreviated" href="mailto:username@domain.com">username@domain.com</a>
is needed for things like Eduroam Wifi (as Eduroam can't
authenticate you if it doesn't know what Uni you belong to). And
with AD-based logins, <a class="moz-txt-link-abbreviated" href="mailto:username@domain.com">username@domain.com</a> is usually equivalent to
DOMAIN\username. So that usually works okay too.<br>
<br>
I don't think it gets stored anywhere at the moment.<br>
<br>
However, the easiest thing for you to do is probably write your own
authenticator module. Call it something like
"NSSTravisAuthenticator.php" and then you can refer to it in
preferences.php as an authenticator called "Travis".<br>
There are only 2 calls you need to implement. 1 that checks for a
valid username and 1 that checks a username/password pair and
retrieves info about the user. Get the information you need from
wherever you want it, and put it into the same members of the class
as the other authenticators do, and it will work.<br>
<br>
Take a look at the NSSLocalAuthenticator.php to see the structure in
a fairly simple way (NSSStaticAuthenticator.php is the trivial case
but doesn't tell you much), then see how that maps onto
NSSADAuthenticator.php. The LDAP authenticator is almost identical
to the AD one, but is much simpler as it only supports one "forest".<br>
<br>
For the preferences.php settings for your authenticator, just make
sure you don't use any names I've already used.<br>
<br>
Then even the "upgrade" and "upgrade_preferences_php" will perfectly
happily handle your new authenticator module.<br>
<br>
That way you aren't changing any of the existing code (as far as
rpm/dpkg/apt/yum are concerned), you are just adding a whole new
file. The package managers will leave that alone.<br>
<br>
Hope that helps,<br>
Jules.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:WM!f017aadf46d5937b7f9ff5adc63e3e628a33e6edb2acc4eb89547b27871de47194b07913198c6dfec0260e6ed3f99ea3!@mx.jul.es">
<div class=""><br class="">
</div>
<div class="">Again thanks for any help you can provide.</div>
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class="">
<div style="orphans: 2; widows: 2;" class="">------------------------------------------------------</div>
<div style="orphans: 2; widows: 2;" class="">Travis
Zimmerman<span class="Apple-tab-span" style="white-space: pre;">
</span><a href="mailto:tzimmerman@fsu.edu" class=""
moz-do-not-send="true">tzimmerman@fsu.edu</a><span class="Apple-tab-span" style="white-space: pre;">
</span>850-645-8030</div>
<div style="orphans: 2; widows: 2;" class="">
<div class="">Linux Enterprise Applications & Systems<span class="Apple-tab-span" style="white-space: pre;">
</span><a href="mailto:its-linuxadmins@fsu.edu" class=""
moz-do-not-send="true">its-linuxadmins@fsu.edu</a></div>
<div class="">Information Technology Services, Florida
State University</div>
</div>
</div>
</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Apr 30, 2019, at 4:46 AM, Jules Field <<a
href="mailto:Jules@Zend.To" class=""
moz-do-not-send="true">Jules@Zend.To</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div text="#000000" bgcolor="#FFFFFF" class="">Travis,<br
class="">
<br class="">
Do you mean an alternate attribute for the username, or
an alternate attribute from which to read the user's
email address?<br class="">
I'm rather assuming the latter, but may be wrong...<br
class="">
<br class="">
Currently it reads the user's email address from the
"mail" attribute in AD; is it the string "mail" that you
want to be able to change for a particular AD forest?<br
class="">
<br class="">
Cheers,<br class="">
Jules.<br class="">
<br class="">
<div class="moz-cite-prefix">On 29/04/2019 19:44, Travis
Zimmerman via ZendTo wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:WM!34928f50d1e542023efee6bfe83be1c470660949703bffafce8c6f4178edad8b8c7faf56bbb71c28f0ef373d9e32c2a0!@mx.jul.es"
class="">
<div class="">Would it be possible to add a variable
to the AD auth config to use an alternate attribute
for the username?</div>
<div class="">Something like:<span class="Apple-tab-span" style="white-space:pre">
</span>‘authLDAPAltAttr’ => ‘preferredEmail’,</div>
<div class=""><br class="">
</div>
<div class="">Our Microsoft sysadmins had to setup a
different AD for students on a different domain (<a
href="http://my.fsu.edu/" class=""
moz-do-not-send="true">my.fsu.edu</a>) from the
one used by faculty and staff (<a
href="http://fsu.edu/" class=""
moz-do-not-send="true">fsu.edu</a>). For some
reason at the time they had to store the student
e-mail address in a different attribute than the
standard attribute, in the normal attribute they are
storing a student ID number.</div>
<div class=""><br class="">
</div>
<div class="">Up until now I worked around this
problem by using the IMAP authentication, not as
nice as AD but it did the job to allow students to
authenticate in, receive e-mail from the ZendTo
server, and view drop-offs for them in their Inbox.</div>
<div class=""><br class="">
</div>
<div class="">We got a new CIO at my university about
a month ago and it has been decided to shutdown IMAP
and SMTP completely, in favor of MAPI with MFA only.
I found out that this change was being talked about
last week, upper management came to a decision last
Friday and plan to go ahead with this change
starting next week.</div>
<div class=""><br class="">
</div>
<div class="">I appreciate all the work you’ve put
into ZendTo over the years.</div>
<br class="">
<div class="">
<div style="letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space; line-break:
after-white-space;" class="">
<div style="orphans: 2; widows: 2;" class="">------------------------------------------------------</div>
<div style="orphans: 2; widows: 2;" class="">Travis
Zimmerman<span class="Apple-tab-span" style="white-space: pre;">
</span><a href="mailto:tzimmerman@fsu.edu" class=""
moz-do-not-send="true">tzimmerman@fsu.edu</a><span class="Apple-tab-span" style="white-space: pre;">
</span>850-645-8030</div>
<div style="orphans: 2; widows: 2;" class="">
<div class="">Linux Enterprise Applications
& Systems<span class="Apple-tab-span" style="white-space: pre;">
</span><a href="mailto:its-linuxadmins@fsu.edu" class=""
moz-do-not-send="true">its-linuxadmins@fsu.edu</a></div>
<div class="">Information Technology Services,
Florida State University</div>
</div>
</div>
</div>
<br class="">
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to" moz-do-not-send="true">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=http-3A__jul.es_mailman_listinfo_zendto&d=DwMDaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=TZ3x4Nnv5Pp03uwRWF9UlLOaC296m8a1MGVEkWJljsg&m=Ky15pezwlDoQcfjl_3RZsdfB5VdZYIPMvFC_uDgO6YA&s=EcKKZFVwDujx3aSUu3dGlvXh-eVwOT-rNcQuXml2qJw&e=" moz-do-not-send="true">http://jul.es/mailman/listinfo/zendto</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'What happened in the past that was painful, has a great deal to
do with what we are today.' - William Glasser
<a class="moz-txt-link-abbreviated" href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.Zend.To&d=DwMDaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=TZ3x4Nnv5Pp03uwRWF9UlLOaC296m8a1MGVEkWJljsg&m=Ky15pezwlDoQcfjl_3RZsdfB5VdZYIPMvFC_uDgO6YA&s=7VwiZXK634fmUzQAubkdp5Qajj1qVnqk1n-f4bggYLU&e=" moz-do-not-send="true">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'No more impressive warning can be given to those who would confine
knowledge and rsearch to what is apparently useful, than the
reflection that conic sections were studied for eighteen hundred
years merely as an abstract science, without regard to any utility
other than to satisfy the craving for knowledge on the part of
mathematicians, and that then at the end of this long period of
abstract study, they were found to be the necessary key with which
to attain the knowledge of the most important laws of nature.'
- Alfred North Whitehead
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</body>
</html>