Logging in with alternate AD attributes

Running PrivacyIDEA 3.0

I’m trying to understand how user authentication into the WebUI works. I have a realm configured as example.com with user accounts in example.net AD domain. I’ve setup an LDAP resolver with the Loginname Attribute set to sAMAccountName, userPrincipalName, mail, msDS-PrincipalName. The only attribute that works though is sAMAccountName and UPN. Even if I turn off Use @ sign to split the username and the realm I’m still unable to login with mail or msDS. Below are examples of what those values would look like

sAMAccountName: 1234
userPrincipalName: 1234@example.net
mail: 1234@example.com
msDS-PrincipalName: example\1234

This organization primarily uses msDS-PrincipalName to log into systems but I’d also like to allow the ease of use of an email address for the webui if possible. Is it possible to configure PID to accept all four values or even just mail and msds-principalname?

In theory also four attributes should work. We simply iterate of the list of attributes to construct a search filter to find the userobject.

However, I do not know, if the msDS-PN has problems anyways due to the backslash.

You could simply check this out by only using one attribute of these.
Check if you are using loginmode=privacyIDEA. I am not sure, if this might make a difference. The multi loginattribute is mainly tested with the validate/check endpoint, not with the login to the UI!
Also check the log file privacyidea.log..

Interestingly, if sAMAccountName is removed or not the first value in the Loginname Attribute field no users are synced into PrivacyIDEA. I tried having just msDS-PrincipalName and mail in that field but no users populated under the assigned realm. Performing an LDAP test without sAMAccountName gives a successful connection. Adding sAMAccountName/placing it as the first value and changing nothing else results in users being populated.

Found the solution, looks like PrivacyIDEA’s ldap resolver treats both \ and @ as a separator for user and domain.

Scenario Example Data
AD Domain: example.net
sAMAccountName: 1234
UserPrincipalName: 1234@example.net
mail: 1234@example.com

Create Realm: example
LDAP Resolver Loginname Attribute values: sAMAccountName, mail, userPrincipalName

You can now login with using sAMAccount@example, UPN, email address, or msDS-PrincipalName.

1 Like