AAD invited users

[oleksandrmeleshchuk-epm]

Is it possible to have AAD invited users in the LDAP-wrapper?

Let's say there are:

1. AAD tenant;
2. current tenant users (working fine)
3. invited users (member/guest type)

As of right now - users are imported into the LDAP-wrapper but while try to fetch any data from (using ldap search) - I'm getting no such object error.

[ahaenggli]

It is important to note that the LDAP-wrapper only partially supports invited users from Azure Active Directory (AAD). Invited users must be from another AAD tenant. Personal Microsoft Accounts, such as outlook.com, hotmail.com, or live.com, are not compatible with the LDAP-wrapper due to Microsoft's restrictions. Similarly, guests without an AAD are also not supported for the same reason.

If you encounter issues with these "failing" users, they should be logged when you start the wrapper. However, if you have an invited user whose invitation has been accepted, the user will be synchronized with the LDAP-wrapper. It is worth mentioning that invited users will retain their original domain as part of their name in the LDAP entry to avoid duplicate entries.

For example, if your domain is domain.tld and you invited sample@example.com, the corresponding LDAP entry for this user would be uid=sample_example.com,cn=users,dc=domain,dc=tld.

[oleksandrmeleshchuk-epm]

thx for a promt reply.

1. Invited user is from another AAD tenant (not live.com, not a guest without AAD)
2. Error message (screenshot attached)
   
   2.1. AAD sign in log
   
   
3. User does exist in the LDAP DB
   
   but as you can see from the screenshot attribute sambeNTPPassword is equal xxxxxxxxxxxxxxxxxxx and sambaPwdLastSet equal 0, rather than value as for a user which was created inside of the original AAD tenant (screenshot below
   
   

Regarding userPrincipal attribute change:

1. While users are invited they are created with an #ext# prefix in the UPN
   1.1. LDAP-wrapper importing user with this prefix, which afterwards causing LDAP client not to be able to read properties of this users (most probably due to some issue with the special symbol processing, I'm using LDAP Admin)

As a optional solution - UPN changing (removing prefix) is fixing this, without breaking further user sync from the AAD.

[ahaenggli]

Are you trying to querying the LDAP server or just login?
Are you using the latest version? Logins with the #EXT# prefix is working for me since v2.0.0.
An external user is saved in your azure.json (inside the mapped folder) like this:

For login/bind you can use just the regular username as in AzureADuserPrincipalName.
For querying you have to use the "internal" nameing with _ instead of @ as in cn. Maybe this powershell example is helpful:

$ldap_server = "127.0.0.1";
$ldap_port   = 13389;
$ldap_bind   = "uid=sample@example.com";
$ldap_pass   = "mySamplePWD@secure";
$ldap_uid_for_query = "uid=sample_example.com";
$base        = "dc=domain,dc=tld"; 

#Install-Module -Name S.DS.P
Add-Type -AssemblyName System.DirectoryServices.Protocols

#get password as secure string 
$pwd = ConvertTo-SecureString -String $ldap_pass  -AsPlainText -Force
$cred = new-object PSCredential($ldap_bind, $pwd)
$Ldap = Get-LdapConnection -LdapServer $ldap_server -Credential $cred -AuthType Basic -Port $ldap_port

Write-Output "(&($($ldap_bind))(objectClass=*))"
$SearchResults = Find-LdapObject -LdapConnection $Ldap -SearchFilter:"(&($($ldap_bind))(objectClass=*))" -SearchBase:"$($base)" -PropertiesToLoad('dn')
Write-Output "uery for bind user -> returns nothing:"
Write-Output $SearchResults

Write-Output "--- --- ---"

Write-Output "(&($($ldap_uid_for_query))(objectClass=*))"
$SearchResults = Find-LdapObject -LdapConnection $Ldap -SearchFilter:"(&($($ldap_uid_for_query))(objectClass=*))" -SearchBase:"$($base)" -PropertiesToLoad('dn')
Write-Output "uery for _-user should return something:"
Write-Output $SearchResults

[oleksandrmeleshchuk-epm]

Hi,

1. I'm trying to test login using invited as member to the AAD user, username attribute used for the username is: mail(as I was mentioning previously - auth does work for the AAD users, but not for invited users)
2. I'm using latest docker image
   
   .
3. Yes, invited AAD user record were created in the azure.json and users.json files.
   
   

[ahaenggli]

Thank you very much for the details. Your user is not recognized as external (AzureADuserExternal is 0 instead of 1). Based on your users.json entry, the userType seems to be Member while I would expect Guest...
I will improve the detection of external users with the next version.

[ahaenggli]

An improved version is now in the Docker DEV tag. Feel free to try it out :)

[oleksandrmeleshchuk-epm]

I've just tried using DEV tag docker image and result's are:

1. invited User with a Member type, after AAD has been created - working fine (auth successfull)
2. User created withing original AAD - working fine
3. User (from another AAD) which was used to create original AAD - doesn't work, error message from the user sync process:
   
   3.1. User auth attempt error message:
   
   3.2. This is how users in the AAD look's like
   

User was able to auth only after:

1. removing mentioned above user (the one who've created original AAD) from it
2. inviting user again to the AAD
3. changing status to Member
4. removing files from the data/* folder
5. docker container restart

So my init question is now resolved:)

Thank u

[noque-lind]

Sorry for revisiting this case. For me guest users works with the initial login (Synology DSM). However i have not been able to make SMB authenticating work for these guest users when using their original UPN.

I can log these users in when using the guest upn, like the attached screenshot.

Is there anyway to work around this?

[ahaenggli]

Samba (or maybe Windows OS, I'm not sure here) cuts off the domain. If you enter alice@external.com the LDAP-wrapper receives only alice. As a workaround - assuming you're using the latest version - you could try replace the @ with an underline _ in SMB auth for guest users. So by using alice_external.com as username it should send everything to the wrapper - but only for guest users.