Change Authentication UID to MAIL for Data imported from LDAP

Tagged: ,

This topic has 6 replies, 2 voices, and was last updated 5 years, 2 months ago by Firos.

  • Author
    Posts
  • #11805
     Firos
    Participant

    I have imported user store from LDAP to OpenDJ.

    Example Entries:
    {
    “uid”:”tester”,
    “cn”: “tester”,
    “sn”:”ER”,
    “mail”: “[email protected]”,
    “givenname”:”Test”,
    ……………
    ……………
    }

    In LDAP Authentication field was “mail”

    To enable login using “mail” i have changed “Authentication” and “Search” attributes to “mail” in OpenAM->DataStore settings. And authentication mechanism working successfully.

    I can add new users. instead of listing users using uid these new users are showing as listed using mail attributes when checking OpenDJ entru with directory studio UI.

    When i try to add new users to a group it doesn’t allows and shows error. But it allows to add old users who are seems as listed using mail attribute.

    I added some users in groups using uid. Created policy which permits these group members. When executes API it fails. It’s success if i change authentication and search attribute to uid.

    One soloution is to change all LDAP UIDs to mail ID, difficulty is around 500 entries are there and these UIDs may use in some other places by application.

    What is the solution?

    #11863
     Peter Major
    Moderator

    The authentication naming attribute in the data store configuration should *always* be the attribute that is used as the RDN.

    You could’ve just configured your LDAP module to search for users using both uid and mail, and then always return “mail” to the data store, and then in the data store you would have configured “mail” as the search attribute..

    #11933
     Firos
    Participant

    Peter,

    I changed user search attribute to “mail” in OpenAM. Then login shows error message “User Requires Profile to Login”.
    Reason may be i haven’t gone through all the steps you mentioned.

    I am not sure how to do steps specified in your reply i.e, “You could’ve just configured your LDAP module to search for users using both uid and mail, and then always return “mail” to the data store”

    So how to configured OpenDJ module to search for users using both uid and mail, and then always return “mail” to the data store ?

    I am using “DataStore” not “LDAP” module

    • This reply was modified 5 years, 2 months ago by Firos.
    #11952
     Firos
    Participant

    Thanks Peter, Got it and is working using LDAP module.

    #11963
     Firos
    Participant

    Peter,

    Its working with LDAP module alone in chain.

    But it shows “Authentication Failed” when adding OAUTH in chain. It successfully accepts mail as userid and password in first level, shows “Authentication Failed” message after entering TOTP.

    Its working with uid if i set “LDAP Users Search Attribute=uid” in DataStore
    Its working with mail if i set “LDAP Users Search Attribute=mail” in DataStore
    Not accepts uid/mail together as options in login.

    OAUTH working fine with DataStore module and uid/mail as userid.

    Whats the issue?

    • This reply was modified 5 years, 2 months ago by Firos.
    #11992
     Firos
    Participant

    Issues is,
    LDAP module is able to perform authentication using UID/email.
    But OAUTH module is not. i.e, OAUTH module works based on “LDAP Users Search Attribute” in DataStore.

    If i set “LDAP Users Search Attribute=mail” in DataStore OAUTH module output is success if i input “mail” as username, if i input “uid” OAUTH module fails(LDAP module output is success).
    i.e, I can see Error in debug/Authentication file,
    ERROR: OATH.getIdentity: error searching Identities with username : test
    Message:OATH.getIdentity : User test is not found

    I think OAUTH module is not able to search using “uid” if i set “LDAP Users Search Attribute=mail” in DataStore,

    Any solution pls……….

    #12018
     Firos
    Participant

    Also its not working with “ForgeRock Authenticator (OATH)” in Multi-Factor Authentication

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?