Clarify manifest descriptions for AD property names

Question

Clarify manifest descriptions for AD property names

davelebbing opened this issue 6 months ago · 3 comments

v5.0 build 7096

In the manifest description for map_firstname it shows a default value of given_name. This is correct for OIDC but for AD I believe it should be added that the default is givenName.

Then for map_username it shows the default for AD as sAMAccountName. This property does not show in the XCreds log. Not sure how this relates to userPrincipalName when being processed by XCreds but I'm wondering if this manifest description needs further clarification for what is being used.

This is a reference I saw on the relation of these AD property names for username:

https://docs.secureauth.com/0903/en/active-directory-attributes-list.html#:~:text=Name%20(Pre%20W2K)-,sAMAccountName,-JSmith

Answer 1 · 2024-07-17T21:32:10.000Z

@davelebbing let's discuss. I am not sure how to change.

Answer 2 · 2024-07-26T15:56:10.000Z

Current description for map_firstname:

Local DS to OIDC/AD Mapping for First Name. Default value: “given_name”. map_firstname should be set to an OIDC claim/AD Attribute for first name.

Proposed change:

Local DS to OIDC/AD Mapping for First Name. Default value: “given_name” (OIDC), “givenName” (AD). map_firstname should be set to an OIDC claim/AD Attribute for first name.

Current description for map_username:

Local DS to OIDC Mapping/AD Attribute for Name. Default value: “name” (OIDC), "sAMAccountName" (AD). map_username should be set to an OIDC claim/AD Attribute for name.

Proposed change:

Local DS to OIDC Mapping/AD Attribute for Name. Default value: “name” (OIDC), "userPrincipalName" (AD). map_username should be set to an OIDC claim/AD Attribute for name. The macOS username will be set as the portion of this value before an @ symbol if present.

Log info:

The following example info from an XCreds log shows that sAMAccountName is not a field that is present in what was received from the AD server.

User Info:ADUserRecord(type: XCredsLoginPlugin.LDAPType.AD
userPrincipal: "davetests@TWOCANOES.COM"
firstName: "Dave"
lastName: "TestAD"
fullName: "Dave TestAD"
shortName: "TestAD"
upn: "davetests@twocanoes.com"
email: Optional("davetests@twocanoes.com")
groups: ["MountShares"
"Administrators"]
homeDirectory: Optional("//web.twocanoes.com/Homes/davetests")
passwordSet: 2024-06-24 16:23:26 +0000
passwordExpire: Optional(4001-01-01 00:00:00 +0000)
uacFlags: Optional(512)
passwordAging: Optional(false)
computedExireDate: Optional(4001-01-01 00:00:00 +0000)
updatedLast: 2024-07-26 15:34:43 +0000
domain: "twocanoes.com"
cn: "Dave TestAD"
pso: Optional("")
passwordLength: Optional(0)
ntName: "TWOCANOES\davetestad"
customAttributes: nil
rawAttributes: Optional(["memberOf": "CN=MountShares,CN=Users,DC=twocanoes,DC=com;CN=Administrators,CN=Builtin,DC=twocanoes,DC=com"
"msDS-PrincipalName": "TWOCANOES\davetestad"
"displayName": "Dave TestAD"
"dn": "CN=Dave TestAD,CN=Users,DC=twocanoes,DC=com"
"pwdLastSet": "133637198064179901"
"userPrincipalName": "davetests@twocanoes.com"
"givenName": "Dave"
"homeDirectory": "\\web.twocanoes.com\Homes\davetests"
"sn": "TestAD"
"msDS-UserPasswordExpiryTimeComputed": "9223372036854775807"
"userAccountControl": "512"
"cn": "Dave TestAD"
"mail": "davetests@twocanoes.com"]))

Answer 3 · 2024-08-06T01:01:32.000Z

updated description. please verify and close.