Using LDAP “constructed” attributes in EFT LDAP Authentication


THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT Server (All Versions)

QUESTION

Does the EFT Server support “constructed” attributes (e.g. msds-PrincipalName) for the username attribute?

A screenshot of a computer login
Description automatically generated with medium confidence

ANSWER

No, “constructed” attributes are not supported for the username attribute.

MORE INFORMATION

Using “constructed” attributes as a username for LDAP Authentication will cause users to fail to log in. LDAP authentication relies on search filters to find the username during the login process, and constructed attributes in the search filter are not supported by Active Directory nor the RFC2251.

Active Directory does not support constructed attributes (defined in section 3.1.1.4.5) in search filters. When a search operation is performed with such a search filter, Active Directory fails with inappropriateMatching ([RFC2251] section 4.1.10).

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/0bb88bda-ed8d-4af7-9f7b-813291772990

constructed attribute: An attribute whose values are computed from normal attributes (for read) and/or have effects on the values of normal attributes (for write).
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_d848b035-c151-4fd8-88d9-9f152d053fee