Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP Authentication changed from cn to displayName in Greenlight #1566

Closed
caniwi opened this issue May 11, 2020 · 11 comments · Fixed by #1700
Closed

LDAP Authentication changed from cn to displayName in Greenlight #1566

caniwi opened this issue May 11, 2020 · 11 comments · Fixed by #1700
Labels

Comments

@caniwi
Copy link

caniwi commented May 11, 2020

We upgraded Greenlight last night and now after user's login, Greenlight is using the LDAP attribute displayName rather than the LDAP cn atttribute. Can we get this reversed or, is there a way to pick which LDAP attribute controls how a user gets displayed.

@farhatahmad
Copy link
Collaborator

The fix to this is probably to allow attribute mapping for LDAP instead since there's so many different possible fields and configurations

@caniwi
Copy link
Author

caniwi commented May 13, 2020

Hi,
While I can agree with you about allowing attribute mapping, I have raised this as it is a change in behaviour between releases. Our original installation used the LDAP attribute of cn. The newer install is using the LDAP attribute of displayName. Change in behaviour between releases is typically considered a bug.
The change in name displayed in Greenlight has confused some people. It has also caused some embarrassment as displayName is used internally which might not be client friendly or sensical.

@farhatahmad
Copy link
Collaborator

On second thought, I agree with you. It was a change that snuck into the last release., We'll get it reverted in the next release

@caniwi
Copy link
Author

caniwi commented May 28, 2020

Any movement on this?

@farhatahmad
Copy link
Collaborator

Going to revert this in 2.6.2 (which should be released sometime today)

@Zer0CooL4ek
Copy link

Greetings !
I didn’t really want to raise the topic again
But I'm still a beginner and it turned out so that I started using the version in which the "display name" parameter was displayed by default which just suited us.
Since the parameter "cn" in our active directory is designated as user login
in the end it turns out that after the user logs in to the greenlight, we will have to rename it manually

How can I return the "displayname" parameter?

just like at the beginning of the topic) looks like a bug for us
but is not
it remains to understand how to return ...

@mk-hs
Copy link

mk-hs commented Jun 3, 2020

@farhatahmad is attribute mapping still on the table?
We also prefer the displayname, and since changing your name with ldap authentication is understandably disabled, there's no way for users to fix this any more.

@chaosgrid
Copy link

+1

Is there an ETA for LDAP attribute mapping? Until this is resolved, we cannot really upgrade because locking ldap users to their login name is not ideal...

@notaus557
Copy link

notaus557 commented Jun 6, 2020

Would be great if there will be a solution soon, we also have this issue #1759

It seems the change of bn-ldap-authentication from 0.1.2. to 0.1.3 changend this behaviour.
blindsidenetworks/bn-ldap-authentication@0.1.2...0.1.3

For the local installation this works:
In Gemfile and Gemfile.lock change the version of bn-ldap-authentication back to 0.1.2 and run
./scripts/image_build.sh image release-v2 command.

For the dockered version you have to make these changes inside the container and then commit it to make the changes persistent.

@testerik
Copy link

testerik commented Jun 7, 2020

Presumably I encountered the same problem. As far I understand it, the changed behaviour is not caused bei Greenlight (correct me if I am wrong), but by send_ldap_request(). I logged the LDAP connections

 @auth = parse_auth(result.first, ENV['LDAP_ROLE_FIELD'])
 logger.info("Got LDAP data #{@auth.inspect}")

Before the update I got something like:
Got LDAP data {"info"=>{"name"=>"Erik Nachname", "first_name"=>"Erik", "last_name"=>"Nachname", "email"=>"erik@blabla.de", "nickname"=>"erik", "roles"=>"IT Service"}, "uid"=>"uid=erik,ou=users,dc=blabla,dc=de", "provider"=>:ldap}

Now I get:

Got LDAP data {"info"=>{"name"=>"d3451534b-a54c-406f-8558-c63f80bf1fd5", first_name"=>"Erik", "last_name"=>"Nachname", "email"=>"erik@blabla.de", "nickname"=>"erik", "roles"=>"IT Service"}, "uid"=>"uid=erik,ou=users,dc=blabla,dc=de", "provider"=>:ldap}

What I want is again the content of displayName for name in the output above.

@notaus557
Copy link

Presumably I encountered the same problem. As far I understand it, the changed behaviour is not caused bei Greenlight (correct me if I am wrong), but by send_ldap_request(). I logged the LDAP connections

 @auth = parse_auth(result.first, ENV['LDAP_ROLE_FIELD'])
 logger.info("Got LDAP data #{@auth.inspect}")

Before the update I got something like:
Got LDAP data {"info"=>{"name"=>"Erik Nachname", "first_name"=>"Erik", "last_name"=>"Nachname", "email"=>"erik@blabla.de", "nickname"=>"erik", "roles"=>"IT Service"}, "uid"=>"uid=erik,ou=users,dc=blabla,dc=de", "provider"=>:ldap}

Now I get:

Got LDAP data {"info"=>{"name"=>"d3451534b-a54c-406f-8558-c63f80bf1fd5", first_name"=>"Erik", "last_name"=>"Nachname", "email"=>"erik@blabla.de", "nickname"=>"erik", "roles"=>"IT Service"}, "uid"=>"uid=erik,ou=users,dc=blabla,dc=de", "provider"=>:ldap}

What I want is again the content of displayName for name in the output above.

change the version of the bn-ldap-authentication Gem to 0.1.2 back, see my previous post.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants