Help with user mapping

Hi!

I’m in the process of user mapping and would like to know if you can assist me. I’m using Shibboleth as the authentication method, and thus, I would like to map users through their email addresses. The emails have different domains, so I need to check if the email attempting to log in is present in the local LDAP database by verifying with ldapsearch. In other words, if ldapsearch returns the user’s uid, authenticate access, otherwise deny access.

Thanks,
Nícolas

I’m not familiar with Shibboleth, but I can say that user mapping happens on every single request so I’d advise against using a shell script or similar as it may bog down the system and/or add that much latency to every single request.

Here are the docs on user mapping. I know this may be impossible for you, but getting Shibboleth to just return a valid user id and using it directly is the best bet because that’s the fastest. If you do have to write a shell script, just be sure it’s as fast as it can possibly be, because again, it’ll get executed on every single request.

https://osc.github.io/ood-documentation/latest/authentication/overview/map-user.html?#setup-user-mapping

1 Like

I have almost this exact setup for one of my deployments. You need to use the user_map shim.

#!/bin/bash

LOG=/var/log/ood_login_mapping.log

#Date stamp for log
TS=$(date +[%Y-%m-%d\ %H:%M:%S])


# This is important as the email comes in at HTML (I think) encoded 
INPUT=$(echo $1 | sed -r 's/(.*)%40/\1@/')

echo "$TS INPUT=$INPUT" >> $LOG

# I pull the username out for the ldap search but you could skip this
USERNAME=$(echo $INPUT | awk -F@ '{print $1}')
echo "$TS USERNAME=$USERNAME" >> $LOG

# At my site, I test to simply see if the username part of the email exists
LDAPSEARCH=$(ldapsearch -x "uid=$USERNAME" | grep "uid: ")

if [ $? -eq 0  ]; then
	echo "$TS Found User: $USERNAME" >> $LOG
	echo $USERNAME #send username back to ood
	exit 0	

else

#Exit one will send the user to the reject page
       echo "$TS Creating user: $1,$INPUT,$USERNAME" >> $LOG
	exit 1
fi 
echo "" > $LOG

Basically, for your setup, you can just extend the logic to just do more ldap foo so you can map emails to usernames.

1 Like

Hello Jeff and Morgan.

Thank you very much for your assistance!

Adapting Morgan’s template script resolved the mapping issue.

Once again, thank you very much!

Fwiw, when you echo 1 from the shim, you can actually set via map_fail_uri: /register in ood-portal.yml the url that fails get redirected to. This could be a splash page or even just a simple HTML that maybe redirects users.

For a few deployents, I actually do automatic user creation because policy for those sites dictates that as long as a user has an @this-site.edu email, they are kosher to have accounts. What I do in that more advanced shim is if the user does not exist, I kick off a user creation script and exit 1 which redirects to a page that explains the account is being created, waits a little bit and then redirects back to the login then works automatically because their shibboleth cookie still is still a legitimate login.

1 Like

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.