[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Question about OpenLDAP and rwm overlay
Am Sat, 26 Oct 2019 00:28:36 +0000
schrieb "Vandenburgh, Steve Y" <Steve.Vandenburgh@centurylink.com>:
> I'm attempting to use OpenLDAP as a proxy to an Active Directory
> domain. Using the ldap backend, I'm able to configure the proxy and
> that configuration seems to be working well. But account entries
> are frequently moved from ou to ou in a domain and Microsoft permits
> the bind DN to be a userPrincipalName attribute value of the entry
> instead of the full DN of the account; this features avoids having to
> make many bind DN application configuration changes.
>
> With just the ldap backend configured, OpenLDAP rejects the
> userPrincipalName (UPN) bind DN as an invalid DN. To work around
> this error, I was trying to see if I could use the rwm overlay to
> detect the UPN and convert to the actual domain entry DN using an
> attribute map. If I use the form
>
> mail=UPN
>
> the map works as expected; however, if I only provide the UPN as the
> bind DN, OpenLDAP still rejects it as an invalid DN. I suspect that
> the rwm overlay manipulations to not take effect until after the bind
> DN syntax is checked. I wanted to confirm my suspicion and see if
> any one else has been able to get a UPN-based bind to work through
> OpenLDAP.
>
> For reference my slapd.conf configuration is below:
[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E