How to allow LDAP lookup via email address as well as samaccountname (AD)

[Peter Schober]

* Dave Perry via users <users at shibboleth.net> [2022-11-24 12:45]:
> Looking at the old ldap.properties file (which was pasted in over
> the stock 4.2.1.1 installed one) [...]

So you did a "fresh" install of the current software and are now
trying to make it behave as before by copying back some of the config
files?  At least I can't see why copying over the old config over the
"stock" one would have been necesssary otherwise.

> the LDAP filter: 
> idp.authn.LDAP.userFilter= (sAMAccountName={user})
> 
> No mention of UPN, or mail, in that file.
> 
> I tried the following filter rule, to no avail (it didn't stop samaccountname logins working, just didn't pick up the email address ones):
> idp.authn.LDAP.userFilter= (| (sAMAccountName={user}) (userPrincipalName={user}) )

The first thing you'd need to decide (or determine) is what
"authenticator strategy" to use (or is configured). Since your LDAP
server implementation is M$-AD that (idp.authn.LDAP.authenticator =
adAuthenticator) would be an obvious choice.

That then determines whether the idp.authn.LDAP.userFilter setting is
even used at all. With the adAuthenticator it's /not/ used for
authentication, that instead relies on a M$-proprietary extension
using direct lookups configured with the idp.authn.LDAP.dnFormat (note
the comments above all of thesesettings), e.g.

idp.authn.LDAP.dnFormat = %s at yorksj.ac.uk  # your domain

Note that depending on your LDAP DataConnector configuration you may
still need to configure an LDAP search filter in the property
"idp.attribute.resolver.LDAP.searchFilter" (a bit further below in
your ldap.properties). That's about attribute lookups and not
authentication and so needs to be set correctly even using the
adAuthenticator, e.g.:
idp.attribute.resolver.LDAP.searchFilter = (|(sAMAccountName=$resolutionContext.principal)(userPrincipalName=$resolutionContext.principal))

HTH,
-peter