I have installed OOD on our cluster and everything I configured so far works. The cluster (and hence OOD) uses DEX/LDAP authentication.
Among other things, I configured the sssd.conf for the cluster to use
use_fully_qualified_names = False
so people can login via ssh with their username rather than username@domain.lab (and also usernames, home directories, copy-paste and lots of other stuff is simplified and does not have that ugly @ in the way). This is of course possible since there is nobody outside of domain.lab who can log in.
In OOD, for now I configured dex with
userSearch:
username: userPrincipalName
which I can see in the logs generates an ldap search with a filter containing (among other things)
(userPrincipalName=whatever_one_types_as_username)
That works, if one uses something like davide@domain.lab for username. Then the mapping removes that suffix and everything works. However, both my users and I really dislike that, both for the additional characters one have to type and for the mismatch between OOD and ssh (and the more naive users can’t remember where to use the suffix and so use it always in the wrong place etc). I would like to have people use something like davide instead, but that does not work because the filter will contain only
(userPrincipalName=davide) rather than (userPrincipalName=davide@donamin.lab) and the search will fail. If the search succeeds I would then need to change the mapping, but that’s easy.
It should also be easy to add a suffix to the search string, but I can’t figure out if OOD and/or dex can be configured to do that.