Feature Wiki

Information about planned and released features

Tabs

Supporting Octet-String in LDAP

Page Overview

1 Initial Problem
2 Conceptual Summary
3 User Interface Modifications
- 3.1 3.1 List of Affected Views
- 3.2 3.2 User Interface Details
- 3.3 3.3 New User Interface Concepts
- 3.4 3.4 Accessibility Implications
4 Technical Information
5 Privacy
6 Security
7 Contact
8 Funding
9 Discussion
10 Implementation

1 Initial Problem

Assuming ILIAS is connected to an active directory and LDAP Auth uses the unique value of the AD attribute ObjectGUID ("objectguid") for binding ILIAS users to the active directory. Since the value of ObjectGUID is an octet-string it can't be properly displayed or searched for.

Example: [objectguid] => i▒_▒}▒{I▒* ݔ5▒▒

Microsoft AD supports octet-string format

2 Conceptual Summary

The octet-string value of the AD attribute ObjectGUID should be converted to a human-readable (and by extension ilias-readable) hex-based string form, for example: 90395F191AB51B4A9E9686C66CB18D11 or 90395F19-1AB5-1B4A-9E96-86C66CB18D11 .

There are other octet-string attributes, e.g. "ObjectSid", or there could be custom octet-string attributes, e.g. "myIdentityID", meaning it should also be possible to choose freely which attributes have to be converted to a human-readable form.

Additionaly, using these values for user binding creates another problem: the way LDAP is implemented in ILIAS, the attribute used to bind user accounts to the AD is the same value that the user has to use to login, which means using ObjectGUID for binding would not be all that practical unless you can keep logging in using something else (currently "Attribute for Login Name").

That's why we propose to:

First: add an additional field that allows to match ILIAS and AD the way it is done in SAML.

Second: allow choosing which attributes have to be converted.

When user tries to login the desired behaviour would be:

User enters his LDAP-Username (or whatever was specified in the "Attribute for Login Name" field) in ILIAS Login-Form
IF an additional matching field is set to 'ObjectGUID' (or some other field name): ILIAS matches it with whatever was entered and uses the GUID to check for correct credentials
IF NOT the behaviour stays the same it is right now

3 User Interface Modifications

3.1 3.1 List of Affected Views

Administration => Authentication and Registration => LDAP ( Services / LDAP / ilLDAPSettingsGUI )

3.2 3.2 User Interface Details

Two optional fields have to be added:

1) "Unique Attribute for User Account matching" which is a simple input-field.
I would place it inside "Authentication Settings":

2) "Binary Attributes", or "Octet-String Attributes" which is a field-group you can expand with +/-
I would place it inside "User Synchronisation Settings":

Obviously, both fields would also need to have an additional help-block that explains what they mean.

3.3 3.3 New User Interface Concepts

{ If the proposal introduces any completely new user interface elements, you might consult UI Kitchen Sink in order to find the necessary information to propose new UI-Concepts. Note that any maintainer might gladly assist you with this. }

3.4 3.4 Accessibility Implications

{ If the proposal contains potential accessibility issues that are neither covered by existing UI components nor clarified by guidelines, please list them here. For every potential issue please either propose a solution or write down a short risk assessment about potential fallout if there would be no solution for the issue. }

4 Technical Information

{ The maintainer has to provide necessary technical information, e.g. dependencies on other ILIAS components, necessary modifications in general services/architecture, potential security or performance issues. }

5 Privacy

{ Please list all personal data that will need to be stored or processed to implement this feature. For each date give a short explanation why it is necessary to use that date. }

6 Security

{ Does the feature include any special security relevant changes, e.g. the introducion of new endpoints or other new possible attack vectors. If yes, please explain these implications and include a commitment to deliver a written security concept as part of the feature development. This concept will need an additional approvement by the JourFixe. }

7 Contact

Author of the Request: Hartwig, Alex [hartwig@qualitus.de]
Maintainer: Seeland, Per Pascal [PerPascalSeeland], Jansen, Michael [mjansen]
Implementation of the feature is done by: {The maintainer must add the name of the implementing developer.}

8 Funding

Qualitus

9 Discussion

10 Implementation

{ The maintainer has to give a description of the final implementation and add screenshots if possible. }

Test Cases

Test cases completed at {date} by {user}

{Test case number linked to Testrail} : {test case title}

Privacy

Information in privacy.md of component: updated on {date} by {user} | no change required

Approval

Approved at {date} by {user}.

Last edited: 21. Jun 2024, 13:09, Hartwig, Alex [hartwig@qualitus.de]