> Marcus Watts <[EMAIL PROTECTED]> writes:
>
> > Openldap tracks groups in groups by DN, so changing names
> > is *real* painful.
>
> The standard solution to this problem for any sort of directory-like
> system is to just not use the user-visible name as a DN. In general,
> that's a good idea for a whole bunch of reasons; the properties that users
> want in names quite frequently conflict with the properties of a system
> unique identifier.
>
> We use machine-generated unique IDs for DNs in our directory of people.
> PTS already does something similar by using negative numbers for group
> identifiers.
>
> LDAP is good at being able to search and retrieve by things that aren't
> the unique identifiers.
Yes, in fact there is some work in the ietf and other places now to
write schema for a KDC which will probably be the way the unique id
for a user (i.e something like kdcPrincipal) is done.
Cheers Leif
