Page MenuHomePhabricator

External Auth source should be able to lock username and real name attributes when adding a user
Closed, DuplicatePublic

Description

At my company we use a central single authentication source which is backed by ldap. The usernames are the same across all our systems. This is important because it allows for automation of certain tasks/jobs/etc based on the users role which is mapped by these unique usernames. I am unable to implement some automation against phabricator because some users decided to use a different username on phabricator (theres may be too long or cumbersome to type) from what their "external account" username is.

Event Timeline

jcarrillo7 updated the task description. (Show Details)Sep 30 2016, 8:34 AM
chad added a subscriber: chad.Sep 30 2016, 4:39 PM

This doesn't really describe a root problem, see Describing Root Problems. This information is required, so that we may group multiple requests with similar or related problems.

jcarrillo7 updated the task description. (Show Details)Sep 30 2016, 4:57 PM

@chad I updated the description. I hope this is more of a root problem.

chad added a comment.Sep 30 2016, 5:04 PM

some users decided to use a different username on phabricator

How did they change their username?

chad added a comment.Sep 30 2016, 5:06 PM

I think you can lock this yourself now by using your own AuthAdapter.

In T11716#196493, @chad wrote:

some users decided to use a different username on phabricator

How did they change their username?

They didn't change it but when they first logged in with their LDAP, phabricator shows the new account form repopulated with attributes from ldap but you are free to chang those. The underlying external account still remains connected fine but now the username is not the same.

In T11716#196494, @chad wrote:

I think you can lock this yourself now by using your own AuthAdapter.

This wouldnt fix the issue though right? Does the Auth provider own the flow and UI views shown during registration?

chad added a comment.Sep 30 2016, 5:14 PM

PhabricatorRegistrationProfile is what you want, you can lock email, username, and real name.