This after all was just a configuration issue. Reading the docs carefully enough yielded following configuration to work:
ad.server2.host = srv.dom.de
ad.server2.port = 636
ad.server2.bindRequiresDn = false
ad.server2.baseDn = "OU=Benutzer,OU=DOM,DC=dom,DC=de"
ad.server2.accountFilterFormat = "CN=%s"
ad.server2.useSsl = true
ad.server2.useStartTls = false
ad.server2.accountCanonicalForm = 3
ad.server2.accountDomainNameShort = "dom"
And that's really all. Authentication against AD is done via Username: dom\username
, therefore the accountCanonicalForm
had to be set to 3, which is the backslash-style-syntax, and the accountDomainNameShort
then defines the domain part of the canonical account name.
Once understood pretty logical, but figuring that out without any knowledge... well, it's working now :)