Add support for looking up the account DN post-bind #12
Conversation
| help="""LDAP attribute that stores the user's username. | ||
|
|
||
| For most LDAP servers, this is uid. For Active Directory, it is | ||
| sAMAccountName. |
There was a problem hiding this comment.
Nope, it's actually sAMAccountName in keeping with the LDAP convention that attribute names always start lowercase.
|
Hello! Thank you very much for your patch, and sorry for the super delayed response! The code looks good to me, with the exception of one minor comment (which I'm happy to fix myself). I do not have access to an AD instance to test this, however. Are you still running this? Do you think you can add a section to the README with an example configuration for running it against AD? |
|
Yes, we're using this in production today, against our corporate AD. I'll add an AD example to the README later tonight, sure! |
|
Wonderful! I'll be happy to merge this after the README update! Thank you very much! |
|
OK, README has been updated with some examples. |
|
Thanks for the patch! \o/ I'll probably do a release in a bit... |
For AD environments like ours, a user's DN is hard to programmatically generate. However, MS lets you bind with a username of form 'DOMAIN\username' which is what we use for our template. In order to test group membership, we have to look up their DN later. We opted to go this route, rather than trying for the
memberOfattribute, because that overlay isn't a guaranteed thing in the OpenLDAP world.EDIT: specifically, this was causing problems for the allowed_groups feature, which was looking for the bind DN in the membership lists of groups.