You can configure the LDAP mechanism to create an identity map for usernames that logon with a FQDN, such as user@dom1.dom2.dom3, for example:
<Mechanism Name="ldap"> <MechanismProperties ... /> <IdentityMap Match="([^@]+)@([^\.]+)\.([^\.]+)\.([^\.]+)" Pattern="uid=${1},ou=users,dc=${2},dc=${3},dc=${4}"/> DatabaseName="${1}"/> </Mechanism>
where:
Attribute Name | Example Attribute Value | Description |
---|---|---|
Match (required) | "([^@]+)@([^\.]+)\.([^\.]+)\.([^\.]+)" | A Posix regular expression representing a matching rule that shows how the username is divided into sub-strings. The individual substrings are enclosed by ( ). |
Pattern (required) | "uid=${1},ou=users,dc=${2},dc=${3},dc=${4}" | The substitution rule that determines how the map extrapolates a DN from the username substrings defined in the Match attribute. |
DatabaseName (optional) | "${1}" | Defines how the system rewrites the username so that the database can identify the user in a particular form. The value ${1} identifies the user in the database using only the uid portion of the logon, and drops the ${2}, ${3}, and ${4} portions of the username. |
The identity map does not require a service bind.