Support different realms/applications in case the app does not execute preamble

[fredreichbier]

13 implements mapping of applications to realms by monitoring the LDAP traffic for so-called preambles: A preamble is the LDAP search request performed by applications prior to a LDAP bind. This LDAP search is used to locate the user in the directory. We modify the filter of the search request to include an app marker that is used to identify the app.

But what if the app does not perform a LDAP search prior to the bind? This could be the case if the app constructs the user DN according to a template. Then, we cannot use the preamble to identify the app.

[cornelinux]

For DN-mangling see https://tools.ietf.org/html/rfc4514#section-2 The RFC does not recommend that DC= or O=, C= is the last tag. So we could also add a CN=App-... at the end of the DN.

[fredreichbier]

Yep: We could include the app marker in the user DN template, e.g. uid=${uid},ou=people,dc=example,dc=com,dc=App-someApp. The LDAP proxy could then simply chop off the last component when receiving the bind request.

This should cause no problems if the app only ever performs bind requests. Special care is needed if the app performs an LDAP search after the bind.