Storing the Original User Name for Logging
The original user name can be stored for logging purposes.
When a user has been authenticated using the LDAP method, the value of the Authentication.Username property is set to the user's distinguished name. If the property is used for creating a log entry, the part of the log entry that identifies the user will look, for example, as follows:
CN=John Smith,CN=Users,DC=LDAP,DC=local
To let the log entry show the original user name, which might be jsmith, rather than the distinguished name, you can modify the rule set for LDAP authentication in a suitable manner.
Instead of having only a rule that authenticates a user under LDAP, the rule set should contain the following:
- A rule that handles LDAP authentication for a user and stores the original user name in a User-Defined property
- One or more rules that perform other LDAP-related activities, for example, retrieving information about the group that a user belongs to
- A rule that restores the original user name as the value of the Authentication.Username property after all LDAP-related activities have been completed
Rule for authenticating a user and storing the user name
The following rule stores the original user name after authenticating the user. An event in this rule sets the value of a User-Defined property accordingly.
Name
Authenticate user and store user name
Criteria Action Event
Authentication.IsAuthenticated equals false AND –> Continue Set User-Defined.UserName=
Authentlcation.Authenticate<LDAP> equals true List.OfString.ToString
(Authentication.UserGroups," ")
The user name is retrieved by querying the directory on the LDAP server for this name. The settings of the Authentication.Authenticate property, which is responsible for authenticating the user, are configured accordingly.
When the query has been performed, the user name is stored as the value of the Authentication.Groups property. It is converted into a string, using the List.OfString.ToString property.
NOTE: The original value of the converted property is a list of strings, as it might include not only the user name, but also other pieces of information, after all LDAP-related activities have been completed.
Rule for retrieving user group information
The following rule is an example for an additional LDAP-related activity. It retrieves information about the groups that a user belongs to.
Name Get user group information Criteria Action Authentication.IsAuthenticated equals true AND –> Continue Authentlcation.GetUserGroups<LDAP_Group_:Lookup> does not contain "no-group"
To identify the user, the rule still needs to know the user's distinguished name, so the original user name can not yet be restored as the value of the Authentication.Username property.
NOTE: You must create different settings and configure them for the Authentication module (engine) to run and retrieve a value for the Authentication.GetUserGroups property.
The name of these settings might, for example, be LDAP Group Lookup, as in this sample rule.
Within these settings, the Map user to DN option must be disabled.
Rule for restoring the original user name
The following rule restores the original user name as the value of the Authentication.UserName property.
Name Restore user name Criteria Action Event Authentlcation.Authenticate<LDAP> equals –> Stop Rule Set Set Authentication.UserName= false User-Defined.Authentication.Username
An event in this rule sets this property to the value of the User-Defined property that you created to store the original user name in a preceding rule. The distinguished name that has temporarily been the value of this property is overwritten.
When the original user name has been restored, the property can be used for logging purposes.