Expose OU and other LDAP attributes/characteristics to use in RBAC for Windows machines

[webvictim]

What

The current host_labels logic for Windows machines is good but doesn't allow you to build labels for RBAC based on LDAP OU or similar. It'd be good to expose LDAP OU or maybe even a full DN and allow labels to match against this to allow more sophisticated labelling.

How

Have a fuller set of LDAP characteristics/attributes exposed and let Teleport do matching against these as well as the machine's hostname.

Why

Bigger estates often don't have coherent hostnames which expose enough information about the machine to let you build RBAC rules based on hostname only. By contrast, LDAP OU and DN is usually far more specific.

Workaround

It's possible to work around this currently by running multiple agents providing a windows_desktop_service which have a different configured base_dn:

windows_desktop_service:
  discovery:
    base_dn: 'OU=TELEPORTDEMO,DC=teleportdemo,DC=com'
  host_labels:
    - match: '.*'
    labels:
      ou: teleportdemo

This is cumbersome and adds a lot of overhead, however.

[webvictim]

Another way to address this might be to allow multiple discovery sections in the windows_desktop_service configuration which can each specify their own set of host_labels to add.

[zmb3]

Now that we have more information, I'm going to close this in favor of #12326