20.14. Using Active Directory-formatted User Names for Authentication

When you connect to Directory Server, you must specify the distinguished name (DN) of the user, such as uid=user_name,ou=People,dc=example,dc=com, to authenticate. However, the DN can be difficult to remember. If you enable and configure the AD DN plug-in, you can use Active Directory-formatted user names, such as user_name or user_name@domain instead of the DN.
After you enable the plug-in and a user connects to the directory using a user name that is not DN-formatted, Directory Server searches the DN based on the plug-in's configuration. If the search returns one DN, Directory Server uses this DN for the authentication. If none or multiple DNs are returned, authentication fails.


You can only enable and configure the AD DN plug-in using the command line.
To enable and configure the plug-in it to use example.com as the default domain:
  1. Add the cn=addn,cn=plugins,cn=config plug-in entry and set the default domain:
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    dn: cn=addn,cn=plugins,cn=config
    changetype: add
    objectClass: top
    objectClass: nsSlapdPlugin
    objectClass: extensibleObject
    cn: addn
    nsslapd-pluginPath: libaddn-plugin
    nsslapd-pluginInitfunc: addn_init
    nsslapd-pluginType: preoperation
    nsslapd-pluginEnabled: on
    nsslapd-pluginId: addn
    nsslapd-pluginVendor: 389 Project
    nsslapd-pluginDescription: Allow AD DN style bind names to LDAP
    addn_default_domain: example.com
    The required addn_default_domain parameter in the plug-in entry sets the default domain. The plug-in appends this domain if the specified user name during an authentication does not contain a domain name.
  2. Add a configuration entry for the default domain:
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    dn: cn=example.com,cn=addn,cn=plugins,cn=config
    changetype: add
    objectClass: top
    objectClass: extensibleObject
    cn: example.com
    addn_base: ou=People,dc=example,dc=com
    addn_filter: (&(objectClass=account)(uid=%s))
    For details about the parameters used in the example, see their descriptions in the Red Hat Directory Server Configuration, Command, and File Reference.


    You must add at least a configuration entry for the default domain. If the entry is missing, Directory Server fails to start.
  3. Optionally, you can create additional domain configurations as described in the previous step to support multiple domain names. Each domain configuration can use a different search base and filter.
  4. Restart the Directory Server instance:
    # dsctl instance_name restart