There is apparently an schema file that you can include in your OpenLDAP configuration to
define the AD schema. From an old thread on the subject:
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.
The MSUser schema in OpenLDAP master may be useful for this.
From: Kevin Olbrich <ko(a)sv01.de>
Sent: Monday, March 30, 2020 1:46 PM
Subject: Re: AD proxy / CAPITAL letters in attributes
Am Mo., 30. März 2020 um 18:40 Uhr schrieb Howard Chu <hyc(a)symas.com>:
Kevin Olbrich wrote:
> Thanks for your reply. I don't know what you are referring to on the
> man page but as far as I know, this indicates, that OpenLDAP doesn't
> know about the attribute.
> I know that but I don't care, as OpenLDAP is just a read-only proxy,
> it does not need to know anything about the schema as it does not
> need to validate it.
If you want the attribute to stop being passed in upper case, fix your
schema. Period, end of story.
That means I need to define everything again? Both in AD and Slapd?
Either I missed something or this is very laborious.
And there is realy no setting to disable this behaviour?
The setup where I need this is a simple DMZ (tls enforcing) proxy.
> Is this what you mean? Otherwise I might need a hint :-(
> Kind regards
> Am Sa., 28. März 2020 um 18:06 Uhr schrieb Howard Chu <hyc(a)symas.com>:
>> Kevin Olbrich wrote:
>>> How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an
>>> I know they should be case insensitive but I had to debug
>>> Rocketchat for two hours to find, they use sAMAccountName (case
>>> sensitive) and the app crashed because mine was named SAMACCOUNTNAME.
>>> (I will open a bug there but I bet there is a lot of broken SW).
>> Read the slapd-ldap(5) manpage. These attributes are shown in all
>> capital letters to make you aware that you have a broken
>> configuration. Fix it and they will return to normal.
-- Howard Chu
CTO, Symas Corp.
Director, Highland Sun
Chief Architect, OpenLDAP
This communication is the property of CenturyLink and may contain confidential or
privileged information. Unauthorized use of this communication is strictly prohibited and
may be unlawful. If you have received this communication in error, please immediately
notify the sender by reply e-mail and destroy all copies of the communication and any