Hi Mike, Here is an MS blurb from one of their workshops on the InetOrgPerson Class...
"What Is the InetOrgPerson Object? Most non-Microsoft LDAP and X.500 directory services such as Novell eDirectory and Netscape Directory Server use the InetOrgPerson object class to represent people within an organization. To make those applications more compatible with Active Directory and permit the migration of InetOrgPerson objects to Active Directory, the InetOrgPerson class is added to the Active Directory schema for Windows 2003 Server. Microsoft Windows® 2000 did not support the InetOrgPerson account. Windows Server 2003 includes the InetOrgPerson account, in addition to the standard user account type that Windows 2000 supports. You can use the InetOrgPerson account in Windows Server 2003 in all of the same ways as a standard user account. The InetOrgPerson account is a security principal in Windows Server 2003, so it can be a member of security groups and can be assigned rights and privileges to objects and resources. In Windows 2000, Active Directory uses the unicodePwd attribute to store passwords for user accounts. Most other LDAP-compliant directories use the userPassword property to store passwords for user accounts. In Windows Server 2003, when the domain functional level is set to Windows Server 2003, you can use the userPassword attribute to store the password for InetOrgPerson accounts. This enables you to use InetOrgPerson accounts to provide compatibility with other directory services that your organization uses." My specific interest is in authenticating openldap clients against AD. To my understanding, certain clients expecting to see an inetOrgPersonClass may not respond well to the user class. If one is using pam_ldap it is possible to && some specific values in /etc/ldap.conf and authenticate a user, in order to do this I prefer to use a more standardized person objectClass, and the inetOrgPerson is the best one that ms provides. Before implementing you may want to read some of the following kb articles: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q307998 http://support.microsoft.com/?id=822591 http://support.microsoft.com/default.aspx?scid=kb;en-us;811656 http://support.microsoft.com/default.aspx?scid=kb;en-us;314649 ________________________________ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 4/21/2004 10:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User to InetOrgPerson Class This thread has gotten my interest. We had IBM in here a couple of years ago talking about their LDAP and that Active Directory was inferior because of it's implementation of the InetOrgUser class instead of InetOrgPerson. We stopped them when we mentioned our intention of going with .NET (was RC2 at the time) and that their implementation of InetOrgPerson appeared to be as compliant as anyone else's implementation. However, I've heard very little about InetOrgPerson since then. In fact, we had a training in-house late last year to train some of our staff and he stated that he's never heard of anyone using or wanting to use InetOrgPerson. I told him that I've been recommending that we need to implement AD using InetOrgPerson instead of User. My concern is compatibility with other organizations (we will be in acquisition mode in a year or so) as well as compatibility with enterprise LDAP directories (we're in need of something that will cover multiple platforms). I would appreciate it if you could comment, offline if you want, as to why you are seeking to migrate to InetOrgPerson or whether you chose InetOrgPerson at the outset for your implementation. I'm curious about the degree of adoption. I'm running in to a great deal of resistance regarding InetOrgPerson here and am concerned that we would end up looking at a migration very shortly after our migration. Thanks, Mike > I have chased Ms on this for an official KB article without success. I > have done this in production without any hassles though on exactly the > same scenario you described: third party kit that like inetorgPerson > better than the user class. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brent > Westmoreland > Sent: 21 April 2004 02:40 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] User to InetOrgPerson Class > > Using pure ldap logic, One would assume that is the case. I guess I > was hoping someone had stumbled across a kb article so that once this > is done in production, I have an endorsed Microsoft methodology to take > to management. > > > On Apr 21, 2004, at 8:12 AM, Ulf B. Simon-Weidner wrote: > > > Hello Brent, > > > > this is very easy to accomblish: you just need to add the > inetOrgPerson > > class to the objectClass attribute of the user using adsiedit or a > > script. > > > > Ulf > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brent > > Westmoreland > > Sent: Dienstag, 20. April 2004 21:18 > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] User to InetOrgPerson Class > > > > Does anyone know of a Microsoft endorsed way to change a win2k3 user > > object > > to an InetOrgPerson object without having to export the information > and > > reimport it? There is a potential that some of our clients will need > > to > > interact with active directory from an alternate client. This change > > would > > be more easily supported if the user were defined as an InetOrgPerson. > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ________________________________ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 4/21/2004 10:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User to InetOrgPerson Class This thread has gotten my interest. We had IBM in here a couple of years ago talking about their LDAP and that Active Directory was inferior because of it's implementation of the InetOrgUser class instead of InetOrgPerson. We stopped them when we mentioned our intention of going with .NET (was RC2 at the time) and that their implementation of InetOrgPerson appeared to be as compliant as anyone else's implementation. However, I've heard very little about InetOrgPerson since then. In fact, we had a training in-house late last year to train some of our staff and he stated that he's never heard of anyone using or wanting to use InetOrgPerson. I told him that I've been recommending that we need to implement AD using InetOrgPerson instead of User. My concern is compatibility with other organizations (we will be in acquisition mode in a year or so) as well as compatibility with enterprise LDAP directories (we're in need of something that will cover multiple platforms). I would appreciate it if you could comment, offline if you want, as to why you are seeking to migrate to InetOrgPerson or whether you chose InetOrgPerson at the outset for your implementation. I'm curious about the degree of adoption. I'm running in to a great deal of resistance regarding InetOrgPerson here and am concerned that we would end up looking at a migration very shortly after our migration. Thanks, Mike > I have chased Ms on this for an official KB article without success. I > have done this in production without any hassles though on exactly the > same scenario you described: third party kit that like inetorgPerson > better than the user class. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brent > Westmoreland > Sent: 21 April 2004 02:40 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] User to InetOrgPerson Class > > Using pure ldap logic, One would assume that is the case. I guess I > was hoping someone had stumbled across a kb article so that once this > is done in production, I have an endorsed Microsoft methodology to take > to management. > > > On Apr 21, 2004, at 8:12 AM, Ulf B. Simon-Weidner wrote: > > > Hello Brent, > > > > this is very easy to accomblish: you just need to add the > inetOrgPerson > > class to the objectClass attribute of the user using adsiedit or a > > script. > > > > Ulf > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brent > > Westmoreland > > Sent: Dienstag, 20. April 2004 21:18 > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] User to InetOrgPerson Class > > > > Does anyone know of a Microsoft endorsed way to change a win2k3 user > > object > > to an InetOrgPerson object without having to export the information > and > > reimport it? There is a potential that some of our clients will need > > to > > interact with active directory from an alternate client. This change > > would > > be more easily supported if the user were defined as an InetOrgPerson. > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>