https://bugs.openldap.org/show_bug.cgi?id=10174
Issue ID: 10174 Summary: Fails to authenticate user against Active directory if double space is present in the user's DN in AD Product: OpenLDAP Version: 2.4.44 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: codedriller@gmail.com Target Milestone: ---
In a proxy configuration when using Meta backend to connect to Active directory, an AD user can't be authenticated through OpenLDAP if there is a double space somewhere in his or her Active directory's DN, for example: CN=John Doe,OU=IT Department,DC=example,DC=com.
I'm no LDAP expert but I suppose that the reason for this is that after slapd does initial samAccountName search, it normalizes the found DN including removing a double space according to RFC 2252 paragraph 8.1., then the bind attempt is made using the normalized DN and it fails, because Active directory has no built-in double space removal (or it can be disabled somehow), and the normalized DN does not match the real DN in Active directory. Excuse me if my usage of LDAP terms is not accurate.
https://bugs.openldap.org/show_bug.cgi?id=10174
--- Comment #1 from Howard Chu hyc@openldap.org --- Your analysis sounds plausible, but not sure what you expect us to do about ActiveDirectory violating the LDAP protocol specifications. This sounds like a bug report for Microsoft.
https://bugs.openldap.org/show_bug.cgi?id=10174
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Status|UNCONFIRMED |RESOLVED Keywords|needs_review |
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- AD bug, not OpenLDAP
https://bugs.openldap.org/show_bug.cgi?id=10174
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=10174
--- Comment #3 from codedriller@gmail.com --- It's quite a common thing when some feature of a protocol is not supported. No company is obliged to implement every feature mentioned in RSS. I assume the purpose of software development is to establish successful connection between systems using a protocol as a means, and not to let connection malfunction using protocol as an excuse. If this feature is not supported universally, and such a major player as AD doesn't support it, then for successful AD proxying it would be required to have an option, a configuration setting, to disable double space replacement.