I was just wondering. I have my users based on my LDAP FreeIPA server now. I just have a development environment for this. My own user account is local so no worries.
Now, when I set up my SAML with Authentik, the log shows this entry, where my user provider (LDAP in this case) is checked if the user with that email exists (since Email is the Name ID)
“message”:"getUsers: Options: search email@mail.com limit offset Filter: (&(memberOf=CN=cloud,cn=groups,cn=accounts,DC=domain,DC=com)(displayname=)(|(displayname=email@mail.com)(displayname=email@mail.com)))
Which basically means, it is searching based on displayname. I don’t know where it gets this, but as a consequence, users logging in with my Authentik SAML provider, actually get a new account, with the exact same Details.
Im certain Im going to drop the integrated LDAP anyway, since Authentik integrates it as well, but I was just wondering. Maybe I missed some setting? Maybe this is some default behaviour?
In my case. I actually set the unique UIDs in nextcloud to something custom (Firstname_Lastname) so that was already my first mistake. But I don’t know if that’s why. Because I can simply not grasp why it would want to search based on something so unspecific as Display Name.