BFI Using LDAP - UPN

AlexaVonTess · January 19, 2017, 5:43pm

Our BFI (Version: 9.2.6.0-20161213-1237) uses LDAP for authentication to AD. In our case, our UPN differs from our Email address (and users don’t know what a UPN is). Is there any way to including the @UPN portion behind the scenes so that users can just login with their username; the same as they do for all of our company websites?

f.pezzotti · January 23, 2017, 2:32pm

The portion after ‘@’ should be simply the domain name where the user is registered that is most probably the same of the AD server.

The BigFix server simply use the LDAP protocol so it simply read what is retrieved from the AD server.

I don’t know if it might help but anyway you can try adding a custom UPD suffix on the Active Directory Server:

Open Active Directory Domains and Trusts
Right Click on “Active Directory Domains and Trusts” -> Properties
Put the alternative UPN suffix here.

Then to change the UPN of all users take a look here:

AlexaVonTess · January 23, 2017, 2:41pm

Thanks for the suggestion. BFI differs in that it uses the UPN, which in our case, does not match the users email domain. Web Reports however, doesn’t seem to use UPN and users are able to logon with just their username. Both use LDAP but BFI differs.

MichalPaluch · January 23, 2017, 2:49pm

Let me try to get someone from dev/support to answer

mxalvis · January 25, 2017, 4:39pm

This was a change put in about a year and a half ago. A change I never understood - no other product I’ve encountered that does LDAP/AD based authentication has ever been hard-coded to use UPN and not allow the user to specify an alternative (such as SamAccountName or email address - the standards everywhere else.)

AlexaVonTess · March 8, 2017, 11:37am

I’ve created PMR 52942 227 000 to address this. Let’s see how long this takes. I’ll post any helpful information should there be any.

tprudzic · April 13, 2017, 12:25pm

When you add Directory Server using predefined configuration (e.g. you select “Microsoft Active Directory” in “LDAP Server*” combo box) other configuration fields are not editable, but you can create your custom setup by selecting “Other” as “LDAP Server*”. It gives you possibility to use “SamAccountName” as “Login Attribute*”.

AlexaVonTess · April 13, 2017, 12:45pm

Thanks. I’ll look into that. My PMR didn’t help. IBM said this is a “security feature” and isn’t configurable.