When an LDAP account is used in an SSH Access Request Policy (either Linked Account or Directory Account), it is formatted in the connection string like "username"@"domain".
However, this would be needed to change to only include simple username without the "@domain".
So how to configure for simple "username" of directory account to appear in ssh connection string?
The "login via UPN" option was introduced in Safeguard for Passwords (SPP) version 6.8. Currently SPP cannot be configured to use simple username instead of UPN. Using "Alternate Login Name" does not solve this either, SPP still adds "@domainname" in the connection string. The AltLoginName will only be used if it is in UPN format. See https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/6.10/administration-guide/41#TOPIC-1626834.
Lets assume the UseAltLoginName = true and it's mapped to AltLoginName to the uid attribute.
Lets also assume there is the Directory Account "account" from domain "domain.com" added to Safeguard, and that its uid attribute contains the string "test".
The connection string would still use firstname.lastname@example.org because the AltLoginName attribute is not in UPN format.
If the uid is then edited to contain the string "test@differentDomain.com", then generated a connection string, the connection string would now contain "test@differentDomain.com" because it is in UPN format.
So AltLoginName can't be used to generate a connection string with only the username.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー