New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Make AD connector synchronization of userPrincipalName configurable #13
Feature: Make AD connector synchronization of userPrincipalName configurable #13
Conversation
Q: Is there another way of sending in the signed CLA other than by fax? I don't have that sort of device readily available to me anymore. That is the only indicated way of sending the signed CLA back. |
@matsimon You already signed it digitially at https://cla-assistant.io/univention/univention-corporate-server?pullRequest=13. That should be enough :-) |
Thanks @spaceone that was back with another employer so I wasn't certain I had to re-sign the CLA as individual person. I'd be interested if you are even open to having the option mappable, based on a user-defined user Attribute, so please consider this merge request WiP. Going through all of the additional checks that I outline below - maybe you come up with other things - it isn't going to be worth the time (i.e. my time) if you don't think that it is a of interest for an integration. However I'm thankful for pointers and hints, maybe I'm actually proposing something completely dangerous even though I do see an actual use case of mine. There are some things that would need to be discussed, cleaned up or checked at more closely before integration anyway. For some I can provide test results, but maybe not for all. Possibly some additional tests would need to be written (if so, where?):
Edit 2019-08-04: Included some updated information about unregistered UPN suffixes and non-compliant UPNs where I've been able to do some testing. |
Thanks for taking the time and effort to supply this input! While reading your list I quickly checked the AD schema for userPrincipalName and it says "Is-Single-Valued | True". Same for krb5PrincipalName in the OpenLDAP Schema. At least that point is easy :-) Also I quickly started an Microsoft Windows 2008 R2 DC and created a user with a non-RFC822 value as UPN, and the AD accepted this:
And the MS ADUC gui tool doesn't crash when opening this user :-) So I'd consider that a non-issue until proven wrong. Probably all things Kerberos things won't work well with such an account. Maybe AD uses a default REALM in that case (though it doesn't do it in the GUI). For example if you compare this to the servicePrincipalName attribute, that one is without the @realm part. I agree, somebody should test that at some point. Anyway, thanks again! Maybe you can briefly explain the use case for this (e.g. as a bug comment), like, in which scenario this would help. E.g. synchronization with a AD domain that is part of a AD forest/tree. A "user story" like that helps the UCS product owner to estimate the priority of the bug reports. |
Hi Arvid Thank you for your time on the feedback. I'll provide a "user story" in the bugzilla item since this is more likely to be given a look at by product owners? Interestingly the PowerShell cmdlet New-ADUser doesn't prevent you from creating users with a UPN suffix not defined in the AD Forest, however I have no idea if that causes issues elsewhere in AD. Here is an example where the AD Forest has no UPN suffix configured like used here: New-ADUser -Name "Threepwood, Guybrush" `
-SamAccountName guybrush.threepwood `
-UserPrincipalName guybrush.threepwood@monkeyisland.example.org Edit: See expanded & updated test results in this comment. |
By introducing a new UCR variable instead of mapping uid@KERBEROSREALM from UCS OpenLDAP to Active Directory's userPrincipalName we can now map a specific attribute from UCS OpenLDAP as the resulting userPrincipalName in Active Directory. However it is up to the administrator to use an attribute that is both single-valued and complies with RFC 822 as that is what Microsoft expects for userPricipalName. Hence this option is not defined by default and the defaults remain sane.
univention/dist/ucs-ec2-tools#13
univention/dist/ucs-ec2-tools#13
univention/dist/ucs-ec2-tools#13
univention/dist/ucs-ec2-tools#13
univention/dist/ucs-ec2-tools#13
univention/dist/ucs-ec2-tools#13
univention/dist/ucs-ec2-tools#13
univention/components/ucsschool-api-plugins/id-broker-plugin#13
univention/components/ucsschool-api-plugins/id-broker-plugin#13
univention/components/ucsschool-api-plugins/id-broker-plugin#13
univention/components/ucsschool-api-plugins/id-broker-plugin#13
Thank you for providing a pull request!
Please make sure you considered the following things
Link to the issue in Bugzilla
https://forge.univention.org/bugzilla/show_bug.cgi?id=49954 (updated, initially pasted the URL for another issue)
Description of the changes
This is a proposal for making the mapping userPrincipalName configurable details are
What kind of change does this PR introduce? Feature
How can we reproduce the issue?
To which UCS version does the issue apply? 4.4-1 and before.
Please list relevant screenshots, error messages, logs or tracebacks n/a yet
Are there any breaking or API changes? The code was modified so that it shouldn't change default behaviour. However if a person purposely maps an attribute that is not single-valued or RFC 822 compliant, there are errors to be expected as that are AD's requirement for userPrincipalName.
Are there changes in the documentation necessary? The variable should be mentioned in a changelog if the MR is accepted.
Are there descriptions for newly introduced UCR variables? Yes, however the definitive variable name can be discussed :-)
Looking forward to hearing from you