Re: [ActiveDir] Speaking of SamAccountName...
I with you on discouraging using DN as a binding user name for AD. However, this is very common practice in other directories and DN is the only attribute that the LDAP spec defines as needing to be supported for simple bind. A lot of apps that support multiple directories will insist you do it this way. That isn't to say that this will apply to the app the OP is using, but I thought this was worth sharing. :) Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Tuesday, June 06, 2006 8:53 PM Subject: Re: [ActiveDir] Speaking of SamAccountName... Just to throw in $0.02 (USD): DN would be a bad idea with Active Directory outside of the information it gives away. Active Directory is desinged to allow for the movement and changing of accounts. Using the DN would break that as far as the user is concerned. Since you can have multiple UPN's and at least one samaccount name, you should choose between them. One thought might help: if your cn and samaccountname match, it's easier to choose. If your upn lhs matches the cn which matches the samaccountname, then it might be even easier to prevent identity crises. FWIW. And hey, that's good information to have Joe. cheers :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Speaking of SamAccountName...
Just to throw in $0.02 (USD): DN would be a bad idea with Active Directory outside of the information it gives away. Active Directory is desinged to allow for the movement and changing of accounts. Using the DN would break that as far as the user is concerned. Since you can have multiple UPN's and at least one samaccount name, you should choose between them. One thought might help: if your cn and samaccountname match, it's easier to choose. If your upn lhs matches the cn which matches the samaccountname, then it might be even easier to prevent identity crises. FWIW. And hey, that's good information to have Joe. cheers :) On 6/6/06, Joe Kaplan <[EMAIL PROTECTED]> wrote: Speaking of SamAccountName...If they are using LDAP bind for authentication,then it depends on what type of bind they are doing. For LDAP simple bind (hopefully combined with SSL or it is not secure!), AD supports:distinguishedNameuserPrincipalNameNT account name (domain\user with "user" being the sAMAcountName and domainbeing the NetBIOS domain name) For secure bind using SASL with SPNEGO (Windows auth LDAP bind), ADsupports:userPrincipalNameNT account name (domain\user with "user" being the sAMAcountName and domainbeing the NetBIOS domain name) sAMAccountNameFor that reason, I generally recommend that people use UPN or NT name as abind user name because it works with both. DN is also unwieldy and revealsa lot of the structure of the directory that apps don't necessarily need to know.HTH,Joe K.- Original Message -From: RMTo: ActiveDir@mail.activedir.orgSent: Tuesday, June 06, 2006 12:12 AMSubject: [ActiveDir] Speaking of SamAccountName... Guys, I have a dumb question.. A 3rd party app that uses LDAP forauthentication... What attribute should be utilized for username?SamAccountName is the pre-Windows 2000 name. DistinguishedName is the long form OU/CN gobbledygook. So what is the name of the attribute for theactual user logon name?Thx,RMList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Speaking of SamAccountName...
Speaking of SamAccountName...If they are using LDAP bind for authentication, then it depends on what type of bind they are doing. For LDAP simple bind (hopefully combined with SSL or it is not secure!), AD supports: distinguishedName userPrincipalName NT account name (domain\user with "user" being the sAMAcountName and domain being the NetBIOS domain name) For secure bind using SASL with SPNEGO (Windows auth LDAP bind), AD supports: userPrincipalName NT account name (domain\user with "user" being the sAMAcountName and domain being the NetBIOS domain name) sAMAccountName For that reason, I generally recommend that people use UPN or NT name as a bind user name because it works with both. DN is also unwieldy and reveals a lot of the structure of the directory that apps don't necessarily need to know. HTH, Joe K. - Original Message - From: RM To: ActiveDir@mail.activedir.org Sent: Tuesday, June 06, 2006 12:12 AM Subject: [ActiveDir] Speaking of SamAccountName... Guys, I have a dumb question.. A 3rd party app that uses LDAP for authentication... What attribute should be utilized for username? SamAccountName is the pre-Windows 2000 name. DistinguishedName is the long form OU/CN gobbledygook. So what is the name of the attribute for the actual user logon name? Thx, RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Speaking of SamAccountName...
CN is typical. Inside a domain, samaccountname is unique. CN is only unique within the RDN. For those reasons, I often recommend that your CN and samaccountname be matched (which is not the default if you use the ADUC to create users). It's also helpful if you're an Exchange shop to have your alias and UPN (LHS) match your samaccountname match your CN Why? Because then you don't have users that are confused as to what to enter. You also don't have to worry about collisions when you move users around and so on. In the end, it's about the user experience (think how much easier this job would be without users ;) so you want to make it as consistent as you can. That'll reduce your helpdesk call volume to some degree as well. This also indicates that you should have a process that generates unique id's in your environment. That'll save time later. Does that help? On 6/6/06, RM <[EMAIL PROTECTED]> wrote: Guys, I have a dumb question.. A 3rd party app that uses LDAP for authentication... What attribute should be utilized for username? SamAccountName is the pre-Windows 2000 name. DistinguishedName is the long form OU/CN gobbledygook. So what is the name of the attribute for the actual user logon name? Thx, RM
[ActiveDir] Speaking of SamAccountName...
Title: Speaking of SamAccountName... Guys, I have a dumb question.. A 3rd party app that uses LDAP for authentication... What attribute should be utilized for username? SamAccountName is the pre-Windows 2000 name. DistinguishedName is the long form OU/CN gobbledygook. So what is the name of the attribute for the actual user logon name?Thx,RM
