khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-03 10:20:02 +07:00
Code Issues Packages Projects Releases Wiki Activity

Add small section on UID considerations

Browse Source 
@felixboehm @MorrisJobke @bboule @tariqsiddiqui As discussed in the consulting call we should document the implications of choosing one attribute over another as the uid. Comments welcome. Let us discuss other options such as [GSSAPI](https://de.wikipedia.org/wiki/GSSAPI) in Berlin.

@carlaschroder I did not yet add any mode switching details because this is a diffeent topic.
This commit is contained in:
Jörn Friedrich Dreyer
2015-08-14 14:52:02 +02:00
parent f8fad9d8f5
commit e786ad35c6
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
admin_manual/enterprise_user_management/user_auth_shibboleth.rst
View File

@@ -278,6 +278,25 @@ The session timeout can be overridden in the service provider, but this
requires a source code change of the Apache Shibboleth module. A patch can be
provided by the ownCloud support team.
UID Considerations and windows_network_drive compatability
----------------------------------------------------------
When using user_shibboleth in SSO only mode together with user_ldap both apps need to resolve to the same uid. user_shibboleth will do the authentication and user_ldap will provide user details such as email and displayname. In the case of Active Directory multiple attributes can be used as the uid. But they all have different implications to take into account:
+------------+-------------------------+------------------------------+--------------------+
| attribute | example | uniqueness | other implications |
+------------+-------------------------+------------------------------+--------------------+
| `sAMAccountName` | `jfd` | domain local, might change on eg. marriage | works with windows_network_drive app |
| `userPrincipalName` | `jfd@owncloud.com` | forest local, might change on eg. marriage | TODO check WND compatability |
| `objectSid` | `S-1-5-21-2611707862-2219215769-354220275-1137` | domain local, changes when the user is moved to a new domain | incompatible with windows_network_drive app |
| `sIDHistory` | multi value | contains previous objectSIDs | incompatible with windows_network_drive app |
| `objectGUID` | `47AB881D-0655-414D-982F-02998C905A28` | globally unique | incompatible with windows_network_drive app |
+------------+-------------------------+------------------------------+--------------------+
Keep in mind that oc will derive the home folder from the uid, unless a home folder naming rule is in place. The only truly stable attribute is the objectGUID, so that should be used. If not for the uid then at least as the home folder naming rule. The tradeoff here is that if you want to use windows_network_drive you are bound to the sAMAccountName as that is used as the login.
Also be aware that using user_shibboleth in Autoprovisioning mode will not allow you to use SSO for your user_ldap users because uid collisions will be detected by user_ldap.
.. _native Apache integration:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig