How to allow LDAP lookup via email address as well as samaccountname (AD)

Dave Perry d.perry1 at
Thu Nov 24 13:22:38 UTC 2022


Thanks for the initial response.

The config I copied over, does indeed set adAuthenticator at the top - and already has the line 'idp.authn.LDAP.dnFormat = %s at'.

It's the authentication stage that is failing. If I enter my email address as the username, I specifically get a password error.


Dave Perry
Application Analyst  |  Innovation & Technology Services

York St John University

Lord Mayor’s Walk, York, YO31 7EX
T: +44(0)1904 876 0000
email at<mailto:email at>  |<>


From: users <users-bounces at> on behalf of Peter Schober via users <users at>
Sent: 24 November 2022 12:36
To: users at <users at>
Cc: Peter Schober <peter.schober at>
Subject: Re: How to allow LDAP lookup via email address as well as samaccountname (AD)

Caution: Please take care when clicking on links or opening attachments in emails that originate from outside of the university. When in doubt, contact the ITS service desk.

* Dave Perry via users <users at> [2022-11-24 12:45]:
> Looking at the old file (which was pasted in over
> the stock installed one) [...]

So you did a "fresh" install of the current software and are now
trying to make it behave as before by copying back some of the config
files?  At least I can't see why copying over the old config over the
"stock" one would have been necesssary otherwise.

> the LDAP filter:
> idp.authn.LDAP.userFilter= (sAMAccountName={user})
> No mention of UPN, or mail, in that file.
> I tried the following filter rule, to no avail (it didn't stop samaccountname logins working, just didn't pick up the email address ones):
> idp.authn.LDAP.userFilter= (| (sAMAccountName={user}) (userPrincipalName={user}) )

The first thing you'd need to decide (or determine) is what
"authenticator strategy" to use (or is configured). Since your LDAP
server implementation is M$-AD that (idp.authn.LDAP.authenticator =
adAuthenticator) would be an obvious choice.

That then determines whether the idp.authn.LDAP.userFilter setting is
even used at all. With the adAuthenticator it's /not/ used for
authentication, that instead relies on a M$-proprietary extension
using direct lookups configured with the idp.authn.LDAP.dnFormat (note
the comments above all of thesesettings), e.g.

idp.authn.LDAP.dnFormat = %s at  # your domain

Note that depending on your LDAP DataConnector configuration you may
still need to configure an LDAP search filter in the property
"idp.attribute.resolver.LDAP.searchFilter" (a bit further below in
your That's about attribute lookups and not
authentication and so needs to be set correctly even using the
adAuthenticator, e.g.:
idp.attribute.resolver.LDAP.searchFilter = (|(sAMAccountName=$resolutionContext.principal)(userPrincipalName=$resolutionContext.principal))

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-1jsszvd5.png
Type: image/png
Size: 12155 bytes
Desc: Outlook-1jsszvd5.png
URL: <>

More information about the users mailing list