ldap/AD proxy: Unable to bind using sAMAccountName, but last name and first name is able to bind

Question

I am attempting to set up a pass-through proxy to Active Directory, using ldap on Debian Wheezy. The slapd.conf file is below. I can bind just find by using lastname, first name:

ldapsearch -x -h localhost -b "OU=Site-Users,DC=mycompany,DC=local" -D "cn=LaCroix\, Jay,OU=My Group,OU=Site-Users,DC=mycompany,DC=local" -W "(sAMAccountName=jlacroix)" cn sAMAccountName

And that does work:

result: 0 Success

But what we really want to do is bind via the user name (sAMAccountName):

ldapsearch -x -h localhost -b "OU=Site-Users,DC=mycompany,DC=local" -D "cn=jlacroix,OU=My Group,OU=Site-Users,DC=mycompany,DC=local" -W "(sAMAccountName=jlacroix)" cn sAMAccountName

and that does not work:

ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

Note: Despite that error, my credentials ARE correct, as seen in the first example where binding works via Last Name, First Name.

I have been searching through examples for a number of weeks now, and no matter what I try, I can't seem to bind against sAMAccountName, only Last Name, First Name.

I can search for sAMAccountName when searching against AD directly, but not when using my ldap proxy.

Here is my /etc/ldap/slapd.conf:

# Import our schema
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/samaccountname.schema

moduleload      back_ldap
moduleload      back_bdb.la
moduleload      rwm 

# Support both LDAPv2 and LDAPv3
allow           bind_v2

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

loglevel        1   

# Our slapd-ldap back end to connect to AD

database        ldap
suffix          ou=Site-Users,dc=mycompany,dc=local
subordinate
rebind-as-user  yes 
uri             ldap://10.10.10.99:389
chase-referrals yes 
readonly        yes 
#protocol-version       3   

overlay         rwm 
rwm-map         attribute       uid     sAMAccountName
rwm-map         attribute       mail    proxyAddresses 

binddn cn=ADreader 
bindpw supersecretpassword

# Our primary back end 

database        bdb 
suffix          dc=mycompany,dc=local
rootdn          cn=admin,dc=mycompany,dc=local
rootpw          supersecretpassword 
directory       /var/lib/ldap

# Indexes for this back end 
index           objectClass                     eq,pres
index           ou,cn,mail,surname,givenname    eq,pres,sub
index           uid                             eq,pres,sub

Answer 1

You're "it works" example works because the DN of the object is cn=LaCroix\, Jay,OU=My Group,OU=Site-Users,DC=mycompany,DC=local. The second doesn't work because the DN of the object isn't cn=jlacroix,OU=My Group,OU=Site-Users,DC=mycompany,DC=local.

It's not that you're binding with the "Last Name, First Name", rather the CN of the object is set to " Last Name, First Name" and you're binding with the object's CN. You can't just put the sAMAccountName in as the CN and expect it to work. The object's CN is the object's CN.

Binding directly to AD with a bind DN of "DOMAIN\sAMAccountName" will work fine. I don't think OpenLDAP will handle that, thought. It's probably going to reject that syntax even though, from Active Directory's perspective, it will work fine.