Hi, Please look in to the link [1] for more clarifications.
[1] http://venurakahawala.blogspot.com/2013/10/usernameattribute-and.html Regards, Venura On Fri, Oct 25, 2013 at 12:02 PM, Venura Kahawala <[email protected]> wrote: > Hi, > > Note: In this main if I refer to UserNameSearchFilter, it should point to > the below section of the the UserNameSearchFilter. > > <Property name="UserNameSearchFilter">(&(objectClass=user)(*cn* > =?))</Property> > > > UserNameAttribute is used to create a user in LDAP. For example consider > the below example. > > <Property name="UserNameAttribute">displayName</Property> > > <Property > name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property> > > In LDAP user store, user entry will be created as displayName=udara. > But for the AD user will be created as cn=udara. This happens since user > creation is specially treated in AD. > > But at the time of user login, user will be searched with the > UserNameSearchFilter. Therefore a created user to be able to login in LDAP, > either both UserNameAttribute and UserNameSearchFilter should be same or > UserNameSearchFilter should contain a attribute which is automatically > added to the user entry. > > But for a read only user store (LDAP/AD), these two can be configured as > two attributes. For example consider the below DN of a user > > DN: uid=venura,ou=Users,dc=WSO2,dc=ORG > > If there exists an attribute within the user entry as displayName with a > different value than the uid and if the UserNameAttribute is configured as > the displayName, then the client will be able to search users using the > UserNameAttribute, in this case its displayName. > > Regards, > > Venura > > > On Thu, Oct 24, 2013 at 10:14 PM, Udara Liyanage <[email protected]> wrote: > >> Hi, >> >> <Property name="UserNameAttribute">cn</Property> >> <Property >> name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property> >> >> Above are two parameters we specify for a userStoremanager in usr-mgt.xml >> of a carbon product. If I understood correctly, UserNameAttribute is the >> attribute which is used as the username when users are logged in to the >> servers. UserNameSearchFilter will be used to search users (ie. >> authenticating users ) >> >> In both parameters we used the value "cn". But what will happen if we >> specify different values for two parameters as below. >> >> <Property name="UserNameAttribute">sAMAccountName</Property> >> <Property >> name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property> >> >> Though sAMAccountName is specified as the login name, the cn attribute >> is still used when authenticating users. Users have to log in using the cn >> values. However UserNameAttribute was not considered when authenticating >> users. I copied and pasted a part of the code (in WSO2 IS 4.5) that >> executes when authenticating users below. >> >> String userSearchFilter = >> realmConfig.getUserStoreProperty(LDAPConstants.USER_NAME_SEARCH_FILTER); >> userSearchFilter = userSearchFilter.replace("?", userName); >> >> This won't be a problem if the same attribute(cn/sAMAccountName) is used >> in both parameters. Is it the expected way of configuring? If so, wouldn't >> it be better if there is a way to specify the attribute only in one place >> to reduce misconfiguration posibilities. >> Is there any use case in specifying different attributes in above >> parameters? >> >> >> -- >> Udara Liyanage >> Software Engineer >> WSO2, Inc.: http://wso2.com >> lean. enterprise. middleware >> >> web: http://udaraliyanage.wordpress.com >> phone: +94 71 443 6897 >> > > > > -- > Senior Software Engineer > > Mobile: +94 71 82 300 20 > > -- Senior Software Engineer Mobile: +94 71 82 300 20
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
