-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GetGroupsFromActiveDirectory() to look for the attribute set in claim types configuration instead of Name #148
Comments
@rurikon thank you for taking the time to report this issue. Yes, you were right to open a new issue. |
@rurikon, the class System.DirectoryServices.AccountManagement.GroupPrincipal exposes only 3 properties which LDAPCP could use as claimValue for the group names in
In your scenario, would using either |
When installing, LDAPCP automatically sets group claim type to query SamAccountName, so that would be a logical choice. Another option, if it's not too complex, is to check if the setting matches one of the exposed ones (Name, SamAccountName or UserPrincipalName). If it does, use the setting, and if it doesn't, default to SamAccountName. This is probably what I would aim for, because it gives the end user some control over how they set up their claims. |
Understood. So in your case, properties |
Yes, Name and SamAccountName are different in our environment. According to my tests, when we have SamAccountName as the group claim type, people picker works "as intended" but augmentation doesn't work at all. People picker will add rights to c:0-.t|claimprovider|my-group-samaccountname (or any other property we define in settings), but the .NET augmentation will always add c:0-.t|claimprovider|my-group-name to the user, because it's locked into Name. I suppose for most environments SamAccountName and Name are the same, so the problem doesn't manifest, because for them "my-group-samaccountname" is the same as "my-group-name" and the claims strings end up being equal. In our environment, I have to select Name as the group claim type, so that the string people picker uses will match the string in augmentation. If you don't go the complex route, it will be a breaking change to those (like me) who have changed the group claim type to Name in order to get augmentation to work. New users will have things easier because the default setting SamAccountName will match right away, but they can't choose any other property as the group claim. Users who have identical Name and SamAccountName won't notice a thing. If you choose the complex route, in my understanding it won't affect current installations. The options are:
|
@rurikon I thought about it, and I completely agree with your summary. The impact can be only positive, regardless if default configuration of LDAPCP was changed or not. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
* Augmentation is now enabled by default on a new LDAP connection, when it is added through the UI * Augment groups with the same attribute as the one set in the LDAPCP configuration. #148 * Fix: In claims configurfation page, the values in the list of "PickerEntity metadata" was not populated correctly, which caused an issue with the "Title" (and a few others) * Update NuGet package NUnit3TestAdapter to v3.16.1 * Update NuGet package Newtonsoft.Json to 12.0.3
We have a set of groups in AD that have different DisplayName, Name and SamAccountName. I was looking into why the group rights didn't work and ran into this issue: #134 It basically describes the exact same issue we have.
In the comments, Yvand says "A possible alternative is to get the groups using method LDAPCP.GetGroupsFromActiveDirectory(), which should set the claim value of group with their samAccountName." However, if I look at the code in GetGroupsFromActiveDirectory(), it looks like it's only using adGroup.Name and not adGroup.SamAccountName. Would it be possible to change the code to look at whatever is set in the claim types configuration page instead? I would've made a pull request, but I'm not sure what is the variable for that configuration setting.
The relevant lines are:
LDAPCP/LDAPCP/LDAPCP.cs
Line 1368 in c0670eb
LDAPCP/LDAPCP/LDAPCP.cs
Line 1378 in c0670eb
LDAPCP/LDAPCP/LDAPCP.cs
Line 1382 in c0670eb
(I first posted this as a comment on the closed issue, but I figured it's better to make a new one.)
The text was updated successfully, but these errors were encountered: