Hi,
Do you know why when you set a role on the AD engine with a service_account_name = myapp@my.domain you get a username=myapp (so without @my.domain) on the ‘creds’ request ?
It’s a problem, some applications need the @ part.
Thanks you
Hi,
Do you know why when you set a role on the AD engine with a service_account_name = myapp@my.domain you get a username=myapp (so without @my.domain) on the ‘creds’ request ?
It’s a problem, some applications need the @ part.
Thanks you
Active Directory is confusing… every account has two different “usernames”, the sAMAccountName
and userPrincipalName
LDAP attributes.
Because of this, people are used to addressing AD accounts in different ways.
The authors of the Vault AD secrets engine seem to have chosen to chop the @domain off the userPrincipalName
before returning it in the creds read response - presumably to get closer to what people usually think of as a username… this seems like a bug to me - but it only affects people with more complex setups, which is probably why it has so far gone unfixed.
Thans you
It seems to be intentional (there is a comment in the code).
I opened an issue. I suggested to add an option to choose how the username is write.