I’m trying to understand how user authentication into the WebUI works. I have a realm configured as example.com with user accounts in example.net AD domain. I’ve setup an LDAP resolver with the Loginname Attribute set to sAMAccountName, userPrincipalName, mail, msDS-PrincipalName. The only attribute that works though is sAMAccountName and UPN. Even if I turn off Use @ sign to split the username and the realm I’m still unable to login with mail or msDS. Below are examples of what those values would look like
This organization primarily uses msDS-PrincipalName to log into systems but I’d also like to allow the ease of use of an email address for the webui if possible. Is it possible to configure PID to accept all four values or even just mail and msds-principalname?
In theory also four attributes should work. We simply iterate of the list of attributes to construct a search filter to find the userobject.
However, I do not know, if the msDS-PN has problems anyways due to the backslash.
You could simply check this out by only using one attribute of these.
Check if you are using loginmode=privacyIDEA. I am not sure, if this might make a difference. The multi loginattribute is mainly tested with the validate/check endpoint, not with the login to the UI!
Also check the log file privacyidea.log..
Interestingly, if sAMAccountName is removed or not the first value in the Loginname Attribute field no users are synced into PrivacyIDEA. I tried having just msDS-PrincipalName and mail in that field but no users populated under the assigned realm. Performing an LDAP test without sAMAccountName gives a successful connection. Adding sAMAccountName/placing it as the first value and changing nothing else results in users being populated.