Skip to content

Commit

Permalink
Adds an option to enable sAMAccountname logins when upndomain is set
Browse files Browse the repository at this point in the history
  • Loading branch information
@kwagga
kwagga committed Dec 6, 2024
1 parent 8c4d3db commit 445cc34
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
9 changes: 7 additions & 2 deletions ldap/client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -719,8 +719,13 @@ func (c *Client) getUserDN(bindDN, username string) (string, error) {
}
var userDN string
if c.conf.UPNDomain != "" {
// Find the distinguished name for the user if userPrincipalName used for login
filter := fmt.Sprintf("(userPrincipalName=%s@%s)", escapeValue(username), c.conf.UPNDomain)
// Find the distinguished name for the user if userPrincipalName used for login, or sAMAccountName if enabled.
var filter string
if c.conf.EnableSamaccountnameLogin {
filter = fmt.Sprintf("(|(userPrincipalName=%s@%s)(sAMAccountName=%s))", escapeValue(username), c.conf.UPNDomain, escapeValue(username))
} else {
filter = fmt.Sprintf("(userPrincipalName=%s@%s)", escapeValue(username), c.conf.UPNDomain)
}
result, err := c.conn.Search(&ldap.SearchRequest{
BaseDN: c.conf.UserDN,
Scope: ldap.ScopeWholeSubtree,
Expand Down
3 changes: 3 additions & 0 deletions ldap/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,9 @@ type ClientConfig struct {
// the pre 1.1.1 Vault behavior.
// see: https://www.vaultproject.io/docs/upgrading/upgrade-to-1.1.1
DeprecatedVaultPre111GroupCNBehavior *bool `json:"use_pre111_group_cn_behavior"`

// EnableSamaccountnameLogin enables login with sAMAccountName in addition to UserPrincipalName when upndomain is set.
EnableSamaccountnameLogin bool `json:"enable_samaccountname_login"`
}

func (c *ClientConfig) clone() (*ClientConfig, error) {
Expand Down

0 comments on commit 445cc34

Please sign in to comment.