nope; LDAP requires just username.

you can do UPN if you change your user variable from sAMAccountName=<USER> to userPrincipleName=<USER>

the domain\username is available only with the AD/NT server type. what is the reason for wanting this functionality?

you could try doing AD/NT for authentication (which accepts that format) and LDAP for authorization (group lookup & attributes); but if the reason is for a multi-domain environment, you will need multiple LDAP servers regardless.

Yes multi-domain environment. Users are scattered across multiple domains, groups used to map rolls are in one container.

But the rolls/groups would have members from users from the various domains.

I actually tricked Juniper with LDAP. I have 4 domains asia.co.com europe.co.com. southamerica.co.com northamerica.co.com. We do not have co.com in AD it is latteral. I went at the local DC using port 3268 and telling juniper that the base DN is dc=co, dc=com. Juniper complains the base dn is invalid but will authenticate and do group look ups accross domains. This wokrs well. You do loose 389 port messages from AD.

To finish you no longer need domain only ID password. I did have to set server to generic and unencrypted. Also loose pwd reset external. AD hold attribute <userAttr.userPrincipalName> that is [email protected]. You can use that in SSO if you want.