External Authentication and Get( Accountname ) function change in FMP 10?

Vaughan · March 6, 2009

Hello

I'm implementing the change-over to externally authenticated accounts with a large number of files in a medium-sized organisation. We're using FMP 9.0v3 for the clients (mostly Mac OS X 10.4 but a couple of windows boxes) with the servers running FMS 8.0v4 on Mac OS X Server.

That's all going great. EA is heaven on a stick.

My testing with this setup indicates that the clients need to authenticate with their short user names for the EA to work. I don't have a problem with this, it makes perfect sense to me. The Get( AccountName ) function returns the short username, which is expected.

However I tested a database with FMP 10.0v1 Advanced today, and it authenticated with my *long* user name. The Get( AccountName ) function returned the long user name. Arrrrgh.

I have a problem with this: depending on the user's whim, they could be have two different account names depending on what they log-in with. Not that I blame the user.

My question: is this a change of behaviour for FMP 10 or did I just not notice that FMP 9 does the same thing?

If it is normal behaviour, how can record level access calculations that, say, compare the current account name to those that created records work if a user can have more than one authenticated account name (long and short)?

Many thanks.

Steven H. Blackwell · March 7, 2009

Interesting Vaughan. I haven't heard this report. It's usually the short name for the Group, not the Account, that is operative here. Is the syntax for the Account something along these lines: vbromfield or shblackwell ?

This bears further review.

Steven

Vaughan · March 7, 2009

Thanks for replying Steven.

Yes the short accounts are "vbromfield".

I have a script in each externally authenticated file that pops up a custom dialog displaying the Get( AccountName ) and Get( PrivilegeSetName ) and the account name returned "Vaughan Bromfield".

I'll test it again on Monday morning (my time) and post confirmed results then.

Vaughan · March 8, 2009

OK I'm doing some more testing. Not all of the results are pleasing.

Both FMP 9.0v3 and FMP 10.0v1 will accept either the short and long usernames for authentication. It's case sensitive, however, so the username "vaughan bromfield" won't authenticate whereas "Vaughan Bromfield" will. So users *can* login using either their long or short account names.

Here's something interesting though: with FMP 9.0v3 the short username is case sensitive if the account is externally authenticated, but not case sensitive if the account is internal.

The Get( AccountName ) function returns the long or short account name depending on what they logged-in with.

My question therefore becomes: how can external authentication be limited to either the long or short account names?

Many thanks.

Steven H. Blackwell · March 9, 2009

We are going to need to get Wim in on this discussion, but possibly you can switch to either UPN or UNC formatting. This issue came up about 5 years ago when Server 7 was released. But I am going to have to go back and research what we discovered then.

Thanks for bringing this up.

Steven

Wim Decorte · March 9, 2009

The Get( AccountName ) function returns the long or short account name depending on what they logged-in with.

Get(accountname) will always return the exact accountname that the user used to authenticate. In my case it could be:

wdecorte

Wim Decorte

connectingdatawdecorte (aka UNC syntax)

[email protected] (aka UPN syntax)

In the original EA tech brief we warn about this if you want to restrict users to their own records based on the get(accountname) but they tend to use different syntaxes.

Nothing that can be done about that or we'd have to ask FMI for a feature that lets FMS retrieve just the desired version.

You seem to have found something that needs to be looked at further: case sensitivity of the account name.

Wim

Edited March 9, 2009 by Guest

Vaughan · March 9, 2009

Here was me worrying that Get( AccountName ) could return two different strings, when really it could return *four*. Ha! Ignorance *is* bliss.

Asking for an FMS feature to return a particular version of the account name sounds like a good idea.

Thanks for the help Wim and Steven.

Steven H. Blackwell · March 10, 2009

Actually, Vaughan, it only returns one item, the Account name used to authenticate. If a user can use more than one syntax for an Account name, however, that is where the problem starts.

Note that Wim said:

Get(accountname) will always return the exact accountname that the user used to authenticate. In my case it could be:

wdecorte

Wim Decorte

connectingdatawdecorte (aka UNC syntax)

[email protected] (aka UPN syntax)

In the original EA tech brief we warn about this if you want to restrict users to their own records based on the get(accountname) but they tend to use different syntaxes.

So maybe if there were some way to control this at the domain or server level, you could force the user always to sue one, and only one, syntax?

Steven

Sign In

External Authentication and Get( Accountname ) function change in FMP 10?

Recommended Posts

Vaughan

Link to comment

Share on other sites

Steven H. Blackwell

Link to comment

Share on other sites

Vaughan

Link to comment

Share on other sites

Vaughan

Link to comment

Share on other sites

Steven H. Blackwell

Link to comment

Share on other sites

Wim Decorte

Link to comment

Share on other sites

Vaughan

Link to comment

Share on other sites

Steven H. Blackwell

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Browse

Site Support

Forums

Blogs

Marketplace

Activity

Important Information