Good day! First of all, I want to say that I appreciate your mindset and support of the Open Source community. In a world where more and more software is moving to a ‘subscription’ license where you can no longer own the software, this is a breath of fresh air!
My question is in regard to the Windows Credential Provider. I stood up the privacyIDEA server the other day to begin testing. I configured an LDAP Resolver and I am utiliting userPrincipalName as the Loginname Attribute. This works great and I can login to the web UI using my UPN (firstname.lastname@example.org). The reason for configuring it this way is because the UPN matches the user’s email addresses whereas the sAMAccountName is a string of letters with incrementing numbers (user000001). The sAMAccountName is never used and the end-users don’t have any idea what their account’s sAMAccountName even is.
The problem comes about with the Windows Credential Provider. When logging into my laptop with my UPN (email@example.com) it appears the only thing passed to the privacyIDEA API for user is the first part (before the @ sign). As such, privacyIDEA cannot find a corresponding user account, since user does not match a userPrincipalNameLoginname Attribute. Easiest solution is to allow for a registry configuration which passes both the username AND domain name from the Credential Provider, but I cannot find a configuration for that. Any other suggestion?
the credential provider treats ‘@’ like ‘\’ to get the domain. It does not use the UPN when sending the username to privacyidea. While this will probably be possible in an upcoming version, you could try to solve your problem with a domain to realm mapping:
When I tried mapping acme.com and contoso.com to their respective realms, the username which was passed from the credential provider to the privacyIDEA server was always john for both cases, which doesn’t match a user in the realms:
When the LDAP provider’s Loginname Attribute is configured with userPrincipalName, then the username must be passed back to the server in the firstname.lastname@example.org format.
When the LDAP provider’s Loginname Attribute is configured with sAMAccountName, then the username must be passed back to the server in the user##### format.
My only idea to possibly work around this, for now, is to modify the python code on the server so that it automatically adds the realm name (for example, @acme.com) to the end of the username before it performs the user lookup. I’m just not sure yet where that modification would be made. Perhaps within privacyidea/user.py?
(sorry for multiple posts; the forum doesn’t allow more than 2 links for new users and I guess it recognizes those example emails and domains as “links”).