LDAP extract user from specified field?
-
The LDAP plugin runs the query specified with {{name}} as the username you enter. It then uses the same value for the user account to create. This is OK for simple queries, but imagine you want to search by email address and/or account name while using a consistent name for the user account. It would be very handy to be able to optionally specify an LDAP attribute to extract and use for the user account (this is very similar to what NetScaler does for the SSO attribute).
For example, I have the following query:
(&(|(sAMAccountName={{name}})(mail={{name}}))(memberOf=CN=CloudConsole,CN=Users,DC=domain,DC=internal))
With this I can log in with either AD account name or email address (as long as I am a member of the specified group). Currently XO treats these as two separate accounts (with obvious associated problems for ACL duplication, etc.). I would like to specify that the XO username should be the sAMAccountName attribute
-
Ping @julien-f
-
I had a proposal for this but never got any answers and it never got merged: https://github.com/vatesfr/xen-orchestra/issues/1655#issuecomment-327492894
-
I actually like the current implementation. I am currently using this setup to allow an admin user to have 2 accounts managed by one authentication back-end.
One account is a typical self-service user to consume resources according to ACL/Self-service rule sets
The other account is used to manage Admin features like backups and XO settings (environment with multiple admins who also consume resources from a shared pool with other departments/teams)I use separate accounts so when admin users create VMs it can go to the appropriate self-service container. I hope any fixes to address the above concern doesn't completely remote this capability or at least adds another method of achieving this.