Page MenuHomePhabricator
Create Task
Maniphest T11716

External Auth source should be able to lock username and real name attributes when adding a user
Closed, DuplicatePublic
Actions

Description

At my company we use a central single authentication source which is backed by ldap. The usernames are the same across all our systems. This is important because it allows for automation of certain tasks/jobs/etc based on the users role which is mapped by these unique usernames. I am unable to implement some automation against phabricator because some users decided to use a different username on phabricator (theres may be too long or cumbersome to type) from what their "external account" username is.

Related Objects

Event Timeline

jcarrillo7 created this task.Sep 30 2016, 8:14 AM
jcarrillo7 updated the task description. (Show Details)Sep 30 2016, 8:34 AM
chad added a subscriber: chad.Sep 30 2016, 4:39 PM

This doesn't really describe a root problem, see Describing Root Problems. This information is required, so that we may group multiple requests with similar or related problems.

jcarrillo7 updated the task description. (Show Details)Sep 30 2016, 4:57 PM

@chad I updated the description. I hope this is more of a root problem.

chad added a comment.Sep 30 2016, 5:04 PM

some users decided to use a different username on phabricator

How did they change their username?

chad added a comment.Sep 30 2016, 5:06 PM

I think you can lock this yourself now by using your own AuthAdapter.

jcarrillo7 added a comment.Sep 30 2016, 5:09 PM
In T11716#196493, @chad wrote:

some users decided to use a different username on phabricator

How did they change their username?

They didn't change it but when they first logged in with their LDAP, phabricator shows the new account form repopulated with attributes from ldap but you are free to chang those. The underlying external account still remains connected fine but now the username is not the same.

jcarrillo7 added a comment.Sep 30 2016, 5:11 PM
In T11716#196494, @chad wrote:

I think you can lock this yourself now by using your own AuthAdapter.

This wouldnt fix the issue though right? Does the Auth provider own the flow and UI views shown during registration?

chad added a comment.Sep 30 2016, 5:14 PM

PhabricatorRegistrationProfile is what you want, you can lock email, username, and real name.

chad added a comment.Sep 30 2016, 5:16 PM

actually, maybe can be done with an EventHandler, I'm reading the code here:

https://secure.phabricator.com/diffusion/P/browse/master/src/applications/auth/controller/PhabricatorAuthRegisterController.php;46f11a2450f90bcc58218360597906aa0eba88f0$142-152

chad closed this task as a duplicate of T10700: Disable a Username change for the Registration via a Provider.Sep 30 2016, 5:18 PM
epriestley mentioned this in D20110: Remove the highly suspect "Import from LDAP" workflow.Feb 7 2019, 8:12 PM
Phabricator · Built by Phacility