Am Sat, 26 Oct 2019 00:28:36 +0000 schrieb "Vandenburgh, Steve Y" <steve.vandenbu...@centurylink.com>:
> I'm attempting to use OpenLDAP as a proxy to an Active Directory > domain. Using the ldap backend, I'm able to configure the proxy and > that configuration seems to be working well. But account entries > are frequently moved from ou to ou in a domain and Microsoft permits > the bind DN to be a userPrincipalName attribute value of the entry > instead of the full DN of the account; this features avoids having to > make many bind DN application configuration changes. > > With just the ldap backend configured, OpenLDAP rejects the > userPrincipalName (UPN) bind DN as an invalid DN. To work around > this error, I was trying to see if I could use the rwm overlay to > detect the UPN and convert to the actual domain entry DN using an > attribute map. If I use the form > > mail=UPN > > the map works as expected; however, if I only provide the UPN as the > bind DN, OpenLDAP still rejects it as an invalid DN. I suspect that > the rwm overlay manipulations to not take effect until after the bind > DN syntax is checked. I wanted to confirm my suspicion and see if > any one else has been able to get a UPN-based bind to work through > OpenLDAP. > > For reference my slapd.conf configuration is below: [...] slapd requires part of AD schemas in order to operate back-ldap properly. Thus write a private schema, providing required attribute types and object classes. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E