We must use LDAP_BIND to connect to our AD because it gives better security.
This forces us to use <username>@domain.com usernames for the frontend
We use
accountPattern = (&(objectClass=person)(userPrincipalName=${username}))
to make it work.
See also this discussion: https://groups.google.com/forum/#!topic/repo-discuss/zRzCCfrNFVk
All our other tools connecting to the same AD use only the username part to login.
We would like a configuration option which allows some flexibilty in the usernames.
Proposed solution:
Add a configuration option like this: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_Options#Straight_DN_bind_options
for example:
[ldap]
accountBindString = "${username}@domain.com"
The expanded value of that is then used as a bind dn instead of username directly
This allows "simple" usernames while still using LDAP_BIND