Hi! Thanks for your reply. I don't know what you are referring to on the man page but as far as I know, this indicates, that OpenLDAP doesn't know about the attribute. I know that but I don't care, as OpenLDAP is just a read-only proxy, it does not need to know anything about the schema as it does not need to validate it. Is this what you mean? Otherwise I might need a hint :-( Kind regards Kevin Am Sa., 28. März 2020 um 18:06 Uhr schrieb Howard Chu <hyc(a)symas.com&gt;: > > Kevin Olbrich wrote: > > Hi! > > > > How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? > > I know they should be case insensitive but I had to debug Rocketchat > > for two hours to find, they use sAMAccountName (case sensitive) and > > the app crashed because mine was named SAMACCOUNTNAME. > > (I will open a bug there but I bet there is a lot of broken SW). > > Read the slapd-ldap(5) manpage. These attributes are shown in all capital letters > to make you aware that you have a broken configuration. Fix it and they will return > to normal. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/

Am Mo., 30. März 2020 um 18:40 Uhr schrieb Howard Chu <hyc(a)symas.com&gt;: That means I need to define everything again? Both in AD and Slapd? Either I missed something or this is very laborious. And there is realy no setting to disable this behaviour? The setup where I need this is a simple DMZ (tls enforcing) proxy. > > > > Is this what you mean? Otherwise I might need a hint :-( > > > > Kind regards > > Kevin > > > > Am Sa., 28. März 2020 um 18:06 Uhr schrieb Howard Chu <hyc(a)symas.com&gt;: > >> > >> Kevin Olbrich wrote: > >>> Hi! > >>> > >>> How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? > >>> I know they should be case insensitive but I had to debug Rocketchat > >>> for two hours to find, they use sAMAccountName (case sensitive) and > >>> the app crashed because mine was named SAMACCOUNTNAME. > >>> (I will open a bug there but I bet there is a lot of broken SW). > >> > >> Read the slapd-ldap(5) manpage. These attributes are shown in all capital letters > >> to make you aware that you have a broken configuration. Fix it and they will return > >> to normal. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/

Awesome! That works! :-) Thank you so much! Kind regards Kevin Am Di., 31. März 2020 um 18:27 Uhr schrieb Vandenburgh, Steve Y <Steve.Vandenburgh(a)centurylink.com&gt;: > > There is apparently an schema file that you can include in your OpenLDAP configuration to define the AD schema. From an old thread on the subject: > > > [...] > > slapd requires part of AD schemas in order to operate back-ldap > > properly. Thus write a private schema, providing required attribute > > types and object classes. > > The MSUser schema in OpenLDAP master may be useful for this. > > --Quanah > > > -----Original Message----- > From: Kevin Olbrich <ko(a)sv01.de&gt; > Sent: Monday, March 30, 2020 1:46 PM > To: openldap-technical(a)openldap.org > Subject: Re: AD proxy / CAPITAL letters in attributes > > Am Mo., 30. März 2020 um 18:40 Uhr schrieb Howard Chu <hyc(a)symas.com&gt;: > > > > Kevin Olbrich wrote: > > > Hi! > > > > > > Thanks for your reply. I don't know what you are referring to on the > > > man page but as far as I know, this indicates, that OpenLDAP doesn't > > > know about the attribute. > > > > Exactly. > > > > > I know that but I don't care, as OpenLDAP is just a read-only proxy, > > > it does not need to know anything about the schema as it does not > > > need to validate it. > > > > If you want the attribute to stop being passed in upper case, fix your > > schema. Period, end of story. > > > > That means I need to define everything again? Both in AD and Slapd? > Either I missed something or this is very laborious. > > And there is realy no setting to disable this behaviour? > The setup where I need this is a simple DMZ (tls enforcing) proxy. > > > > > > > Is this what you mean? Otherwise I might need a hint :-( > > > > > > Kind regards > > > Kevin > > > > > > Am Sa., 28. März 2020 um 18:06 Uhr schrieb Howard Chu <hyc(a)symas.com&gt;: > > >> > > >> Kevin Olbrich wrote: > > >>> Hi! > > >>> > > >>> How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? > > >>> I know they should be case insensitive but I had to debug > > >>> Rocketchat for two hours to find, they use sAMAccountName (case > > >>> sensitive) and the app crashed because mine was named SAMACCOUNTNAME. > > >>> (I will open a bug there but I bet there is a lot of broken SW). > > >> > > >> Read the slapd-ldap(5) manpage. These attributes are shown in all > > >> capital letters to make you aware that you have a broken > > >> configuration. Fix it and they will return to normal. > > > > -- > > -- Howard Chu > > CTO, Symas Corp. https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%... > > Director, Highland Sun https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%... > > Chief Architect, OpenLDAP > > https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http% > > 3a%2f%2fwww.openldap.org%2fproject%2f&umid=8E0ADA3C-A221-9905-BC8C-5F2 > > 773CA2777&auth=19120be9529b25014b618505cb01789c5433dae7-62363daa58ac2c > > 8dfb02409d8f32b817d1a5b870 > > This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.