Skip to content

Enable domain-less sAMAccountName in LdapAdapter #61824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
kiwiwings opened this issue May 7, 2025 · 3 comments
Open
1 task done

Enable domain-less sAMAccountName in LdapAdapter #61824

kiwiwings opened this issue May 7, 2025 · 3 comments
Labels
area-security Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update.
Milestone
Backlog

Comments

@kiwiwings
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

The LdapAdapter class is using the full down-level logon name to do LDAP queries.

In our active directory the sAMAccountName doesn't contain the domain and hence the lookup fails.
I found definitions which say it's a must to contain the domain name and vice versa

Describe the solution you'd like

Would it be possible to introduce an option to change the behavior of LdapAdapter to omit the domain name on the ldap lookup?

Additional context

No response
@github-actions github-actions bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label May 7, 2025
@martincostello martincostello added area-security and removed needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically labels May 7, 2025
@MackinnonBuck
Copy link
Member

@kiwiwings, why doesn't sAMAccountName contain the domain name? How common is this? I'm not an LDAP expert.

@MackinnonBuck MackinnonBuck added the Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. label May 12, 2025
@kiwiwings
Copy link
Author

@MackinnonBuck I can only guess: because our AD tree is dating back to 2004 and my second link in the description points out, that backslash shouldn't be part of the sAMAccountName when dealing with old windows versions.

I can't give you statistics on how often this is the case, but converting the AD entries is also not happening soon.

@dotnet-policy-service dotnet-policy-service bot added Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update. and removed Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. labels May 13, 2025
@MackinnonBuck
Copy link
Member

Thanks for the clarification, @kiwiwings. We're going to move this issue to the backlog to determine its impact.

@MackinnonBuck MackinnonBuck added this to the Backlog milestone May 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-security Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@kiwiwings @martincostello @MackinnonBuck