XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    LDAP extract user from specified field?

    Scheduled Pinned Locked Moved Xen Orchestra
    4 Posts 4 Posters 649 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sborrill
      last edited by

      The LDAP plugin runs the query specified with {{name}} as the username you enter. It then uses the same value for the user account to create. This is OK for simple queries, but imagine you want to search by email address and/or account name while using a consistent name for the user account. It would be very handy to be able to optionally specify an LDAP attribute to extract and use for the user account (this is very similar to what NetScaler does for the SSO attribute).

      For example, I have the following query:

      (&(|(sAMAccountName={{name}})(mail={{name}}))(memberOf=CN=CloudConsole,CN=Users,DC=domain,DC=internal))

      With this I can log in with either AD account name or email address (as long as I am a member of the specified group). Currently XO treats these as two separate accounts (with obvious associated problems for ACL duplication, etc.). I would like to specify that the XO username should be the sAMAccountName attribute

      1 Reply Last reply Reply Quote 0
      • olivierlambertO Online
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        Ping @julien-f

        1 Reply Last reply Reply Quote 0
        • julien-fJ Offline
          julien-f Vates 🪐 Co-Founder XO Team
          last edited by julien-f

          I had a proposal for this but never got any answers and it never got merged: https://github.com/vatesfr/xen-orchestra/issues/1655#issuecomment-327492894

          mmartinWECHU created this issue in vatesfr/xen-orchestra

          closed LDAP creates new user is userNaME CaSe is DifFerent #1655

          1 Reply Last reply Reply Quote 0
          • D Offline
            DreDay
            last edited by

            I actually like the current implementation. I am currently using this setup to allow an admin user to have 2 accounts managed by one authentication back-end.

            One account is a typical self-service user to consume resources according to ACL/Self-service rule sets
            The other account is used to manage Admin features like backups and XO settings (environment with multiple admins who also consume resources from a shared pool with other departments/teams)

            I use separate accounts so when admin users create VMs it can go to the appropriate self-service container. I hope any fixes to address the above concern doesn't completely remote this capability or at least adds another method of achieving this. 🙂

            1 Reply Last reply Reply Quote 0

            Hello! It looks like you're interested in this conversation, but you don't have an account yet.

            Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

            With your input, this post could be even better 💗

            Register Login
            • First post
              Last post