I’m in the process of user mapping and would like to know if you can assist me. I’m using Shibboleth as the authentication method, and thus, I would like to map users through their email addresses. The emails have different domains, so I need to check if the email attempting to log in is present in the local LDAP database by verifying with ldapsearch. In other words, if ldapsearch returns the user’s uid, authenticate access, otherwise deny access.
I’m not familiar with Shibboleth, but I can say that user mapping happens on every single request so I’d advise against using a shell script or similar as it may bog down the system and/or add that much latency to every single request.
Here are the docs on user mapping. I know this may be impossible for you, but getting Shibboleth to just return a valid user id and using it directly is the best bet because that’s the fastest. If you do have to write a shell script, just be sure it’s as fast as it can possibly be, because again, it’ll get executed on every single request.
I have almost this exact setup for one of my deployments. You need to use the user_map shim.
#!/bin/bash
LOG=/var/log/ood_login_mapping.log
#Date stamp for log
TS=$(date +[%Y-%m-%d\ %H:%M:%S])
# This is important as the email comes in at HTML (I think) encoded
INPUT=$(echo $1 | sed -r 's/(.*)%40/\1@/')
echo "$TS INPUT=$INPUT" >> $LOG
# I pull the username out for the ldap search but you could skip this
USERNAME=$(echo $INPUT | awk -F@ '{print $1}')
echo "$TS USERNAME=$USERNAME" >> $LOG
# At my site, I test to simply see if the username part of the email exists
LDAPSEARCH=$(ldapsearch -x "uid=$USERNAME" | grep "uid: ")
if [ $? -eq 0 ]; then
echo "$TS Found User: $USERNAME" >> $LOG
echo $USERNAME #send username back to ood
exit 0
else
#Exit one will send the user to the reject page
echo "$TS Creating user: $1,$INPUT,$USERNAME" >> $LOG
exit 1
fi
echo "" > $LOG
Basically, for your setup, you can just extend the logic to just do more ldap foo so you can map emails to usernames.
Fwiw, when you echo 1 from the shim, you can actually set via map_fail_uri: /register in ood-portal.yml the url that fails get redirected to. This could be a splash page or even just a simple HTML that maybe redirects users.
For a few deployents, I actually do automatic user creation because policy for those sites dictates that as long as a user has an @this-site.edu email, they are kosher to have accounts. What I do in that more advanced shim is if the user does not exist, I kick off a user creation script and exit 1 which redirects to a page that explains the account is being created, waits a little bit and then redirects back to the login then works automatically because their shibboleth cookie still is still a legitimate login.