It would be nice to have an option which allowes to lowercase the username before sending to the ldap server.
Does this mean samAccountName on MSAD is case-sensitive? I couldn't figure out the doc and my test system is kaput. Or are you hitting some other specifically case-sensitive attribute in your DN lookup?
searches for samAccountName=foo appear to be case insensitive OOTB.
I'm using "AuthLDAPRemoteUserAttribute uid AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN Off AuthBasicProvider ldap require ldap-group cn=Domain Admins,ou=Group, dc=DOMAIN,dc=de" and memberUid doesn't seem to be case insensitive (memberUid is from posixGroup, which is also used by samba domain groups). If I try "require valid-user" it seems to be case insensitive. But REQUEST_USER environ variable seems to be lowercased everytime (that's good for statistics).
I see, "AuthLDAPGroupAttributeIsDN on" and pointing to a case-sentitive attribute for the group check is the part where it breaks down.
instead of lowercasing the usernames it should be better to use the "AuthLDAPRemoteUserAttribute" for group member comparison too...
Created attachment 23238 [details] use the username gathered from AuthLDAPRemoteUserAttribute this patch seems to fix this issue
Comment on attachment 23238 [details] use the username gathered from AuthLDAPRemoteUserAttribute +1 - the patch looks rational.
This patch also helps to canocialize usernames (e.g. if a DN is found by an alias or multiple uid/cn entries).