(ITS#8767) Binddn issue with a comma in the DN

[christian.palacios@cgg.com]

Full_Name: Christian Palacios
Version: LTB package version 2.4.45
OS: Debian "Stretch"
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (104.129.192.55)


We have an OpenLDAP server configured as a proxy so that it can be used to
authenticate against three Active Directory domains.  We are able to get it
configured with two of the domains, but it fails with the third one.  The
problem that I have been told is that the binddn definition cannot have a comma
in the DN.  Unfortunately we don't have control over this third domain and all
of the accounts, including service accounts, have a format that includes a comma
in their DN.  For example: binddn="CN=gisadmin, CNE (SVC),OU=CNE-Calgary
FDSCI,OU=NASA,OU=Service Accounts,DC=int,DC=cgg,DC=com" credentials=""
mode="legacy" flags="non-prescriptive".  As you can see, the DN has a comma next
to the gisadmin value.  We have been told that this is a problem so we want to
see if anyone has a fix for this so that the defined binddn can have a comma in
it.  It's going to be hard to get another user account created in a different
format that will work, so we're hoping there is a quick fix for OpenLDAP.

>From the OpenLDAP Log file:
Oct 16 10:11:17 CNE-LDA01 slapd[5501]: @(#) $OpenLDAP: slapd 2.4.45 (Jun 10 2017
17:54:31) $#012#011root@stretch:/opt/openldap-deb/debian/paquet-openldap-debian/openldap-ltb-2.4.45/servers/slapd
Oct 16 10:11:17 CNE-LDA01 slapd[5501]: invalid bind config value
binddn=CN=gisadmin, CNE (SVC),OU=CNE-Calgary FDSCI,OU=NASA,OU=Service
Accounts,DC=int,DC=cgg,DC=com
Oct 16 10:11:17 CNE-LDA01 slapd[5501]:
/usr/local/openldap/etc/openldap/slapd.conf: line 65: "idassert-bind <args>":
unable to parse field "binddn=CN=gisadmin, CNE (SVC),OU=CNE-Calgary
FDSCI,OU=NASA,OU=Serv$
Oct 16 10:11:17 CNE-LDA01 slapd[5501]: slapd stopped.