Authentication policy mangle

katgirl · March 13, 2023, 3:56pm

I’ve been trying to solve the following with the policy mangle all day, but somehow I have a knot in my head about it:

Doc: 7.3. Authentication policies — privacyIDEA 3.8 documentation

Problem:
Username: TestStudent@students.university.edu
or
Username: TestMember@staff.university.edu

are supposed to become
Username: TestStudent@students
or
Username: TestMember@staff

become.

I have already tried:

mangle: user/(.*)@.*\\.university\\.edu/\\1/ 
mangle: user/(.*)\\.university\\.edu/\\1/  
mangle: realm/(.*)\.university\.edu/\\1/

i made a separate policy for this with a priority at the top. So far it just doesn’t take effect and I wonder if the split in username and realm happens before or if I even need two rules, one to extract the username and one to shorten the realm.

Unfortunately I can’t figure it out from the doc or the code. Has anyone done something like this before?

cornelinux · March 18, 2023, 6:16am

The user resolving is done before the mangling.

I.e. your input “TestStudent@students.university.edu” is split into username=TestStudent and realm=students.university.edu if this realm exists (or not split, according to the splitting rules described in readthedocs.)

I.e. you can not mangle a non-existing realm or non-existing user.