Hi, Note: In this main if I refer to UserNameSearchFilter, it should point to the below section of the the UserNameSearchFilter. <Property name="UserNameSearchFilter">(&(objectClass=user)(*cn* =?))</Property>
UserNameAttribute is used to create a user in LDAP. For example consider the below example. <Property name="UserNameAttribute">displayName</Property> <Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property> In LDAP user store, user entry will be created as displayName=udara. But for the AD user will be created as cn=udara. This happens since user creation is specially treated in AD. But at the time of user login, user will be searched with the UserNameSearchFilter. Therefore a created user to be able to login in LDAP, either both UserNameAttribute and UserNameSearchFilter should be same or UserNameSearchFilter should contain a attribute which is automatically added to the user entry. But for a read only user store (LDAP/AD), these two can be configured as two attributes. For example consider the below DN of a user DN: uid=venura,ou=Users,dc=WSO2,dc=ORG If there exists an attribute within the user entry as displayName with a different value than the uid and if the UserNameAttribute is configured as the displayName, then the client will be able to search users using the UserNameAttribute, in this case its displayName. Regards, Venura On Thu, Oct 24, 2013 at 10:14 PM, Udara Liyanage <[email protected]> wrote: > Hi, > > <Property name="UserNameAttribute">cn</Property> > <Property > name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property> > > Above are two parameters we specify for a userStoremanager in usr-mgt.xml > of a carbon product. If I understood correctly, UserNameAttribute is the > attribute which is used as the username when users are logged in to the > servers. UserNameSearchFilter will be used to search users (ie. > authenticating users ) > > In both parameters we used the value "cn". But what will happen if we > specify different values for two parameters as below. > > <Property name="UserNameAttribute">sAMAccountName</Property> > <Property > name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property> > > Though sAMAccountName is specified as the login name, the cn attribute is > still used when authenticating users. Users have to log in using the cn > values. However UserNameAttribute was not considered when authenticating > users. I copied and pasted a part of the code (in WSO2 IS 4.5) that > executes when authenticating users below. > > String userSearchFilter = > realmConfig.getUserStoreProperty(LDAPConstants.USER_NAME_SEARCH_FILTER); > userSearchFilter = userSearchFilter.replace("?", userName); > > This won't be a problem if the same attribute(cn/sAMAccountName) is used > in both parameters. Is it the expected way of configuring? If so, wouldn't > it be better if there is a way to specify the attribute only in one place > to reduce misconfiguration posibilities. > Is there any use case in specifying different attributes in above > parameters? > > > -- > Udara Liyanage > Software Engineer > WSO2, Inc.: http://wso2.com > lean. enterprise. middleware > > web: http://udaraliyanage.wordpress.com > phone: +94 71 443 6897 > -- Senior Software Engineer Mobile: +94 71 82 300 20
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
