Am Sat, 26 Oct 2019 00:28:36 +0000
schrieb "Vandenburgh, Steve Y" <Steve.Vandenburgh(a)centurylink.com>:
I'm attempting to use OpenLDAP as a proxy to an Active Directory
domain. Using the ldap backend, I'm able to configure the proxy and
that configuration seems to be working well. But account entries
are frequently moved from ou to ou in a domain and Microsoft permits
the bind DN to be a userPrincipalName attribute value of the entry
instead of the full DN of the account; this features avoids having to
make many bind DN application configuration changes.
With just the ldap backend configured, OpenLDAP rejects the
userPrincipalName (UPN) bind DN as an invalid DN. To work around
this error, I was trying to see if I could use the rwm overlay to
detect the UPN and convert to the actual domain entry DN using an
attribute map. If I use the form
mail=UPN
the map works as expected; however, if I only provide the UPN as the
bind DN, OpenLDAP still rejects it as an invalid DN. I suspect that
the rwm overlay manipulations to not take effect until after the bind
DN syntax is checked. I wanted to confirm my suspicion and see if
any one else has been able to get a UPN-based bind to work through
OpenLDAP.
For reference my slapd.conf configuration is below:
[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E