20.14. Using Active Directory-formatted User Names for Authentication
When you connect to Directory Server, you must specify the distinguished name (DN) of the user, such as
uid=user_name,ou=People,dc=example,dc=com
, to authenticate. However, the DN can be difficult to remember. If you enable and configure the AD DN plug-in, you can use Active Directory-formatted user names, such as user_name
or user_name@domain
instead of the DN.
After you enable the plug-in and a user connects to the directory using a user name that is not DN-formatted, Directory Server searches the DN based on the plug-in's configuration. If the search returns one DN, Directory Server uses this DN for the authentication. If none or multiple DNs are returned, authentication fails.
Note
You can only enable and configure the AD DN plug-in using the command line.
To enable and configure the plug-in it to use
example.com
as the default domain:
- Add the
cn=addn,cn=plugins,cn=config
plug-in entry and set the default domain:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=addn,cn=plugins,cn=config changetype: add objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: addn nsslapd-pluginPath: libaddn-plugin nsslapd-pluginInitfunc: addn_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginId: addn nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.3.6.0 nsslapd-pluginDescription: Allow AD DN style bind names to LDAP addn_default_domain: example.com
The requiredaddn_default_domain
parameter in the plug-in entry sets the default domain. The plug-in appends this domain if the specified user name during an authentication does not contain a domain name. - Add a configuration entry for the default domain:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=example.com,cn=addn,cn=plugins,cn=config changetype: add objectClass: top objectClass: extensibleObject cn: example.com addn_base: ou=People,dc=example,dc=com addn_filter: (&(objectClass=account)(uid=%s))
For details about the parameters used in the example, see their descriptions in the Red Hat Directory Server Configuration, Command, and File Reference.Warning
You must add at least a configuration entry for the default domain. If the entry is missing, Directory Server fails to start. - Optionally, you can create additional domain configurations as described in the previous step to support multiple domain names. Each domain configuration can use a different search base and filter.
- Restart the Directory Server instance:
# dsctl instance_name restart