The solution I finally was content with is as follows: It turns out that the Windows AD login does not really differentiate between umlauts and their dotless counterparts. That is, it has always been possible for a user named "Müller" to login e.g. to a Windows workstation using "Muller" (or a suer named "Hoffmann" could as well have used "Höffmänn" as login name). Consequently, using the umlaut-less alternative for WLAN-authentication works out of the box. So we can keep the correct spelling in AD and users can most of th etime use their correct spelling to login - only when logging in to the company WLAN they need to drop the dieresis. This is somewhat unusual because user might expect that umlauts would be replaced per ä->ae, ö-oe, ü->ue instead of just ä->a, ö->o, ü->u. But at least it allows us to keep the correctly spelled names in the directory and no special modification to allow user login (except teaching the users)