RE: [ActiveDir] User to InetOrgPerson Class

2004-05-06 Thread joe 
I would say it is in the process of happening and will get more and more
prevelant. Probably to the great dislike of many a Linux person who until
recently has been pushing so hard for Linux to be the mainstream replace
everything MS OS. I know many are backing off of that now as they realize
what it takes to make it replace MS in a major way, a lot of the things they
don't like about MS they have to emulate. 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, May 06, 2004 7:32 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class

That's long since happened, my friend.

The particular distro I was installing was Redhat 7.1[1], which is required
for one of our soon to be legacy products...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.

[1] Yeah - so what if it hasn't been supported in years?
 

> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, May 04, 2004 11:19 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> Agreed. As Linux tries to become more and more mainstream you will 
> most likely have dists that bloat more and more in terms of what is 
> dropped on the disk by default.
> 
>   joe
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Sean
> Sent: Tuesday, May 04, 2004 10:40 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> Of course that does tend to be distribution specific ;)
> 
> On Mon, 2004-05-03 at 09:40, Roger Seielstad wrote:
> > Actually, close.
> > 
> > Apparently, a "base" install of Linux doesn't include things like 
> > ping, traceroute, ssh, nor much else in the way of basic tools.
> > 
> > Roger
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
> > Inovis Inc.
> >  
> > 
> > > -----Original Message-
> > > From: joe [mailto:[EMAIL PROTECTED]
> > > Sent: Sunday, May 02, 2004 11:17 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > 
> > > Driver error. Recompile kernel 
> > > 
> > >  
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > Seielstad
> > > Sent: Thursday, April 22, 2004 10:42 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > 
> > > Um, yeah. That's right.
> > > 
> > > If I wasn't spending all day yesterday trying to fix a
> Linux box, I
> > > would have definitely written the same thing.
> > > 
> > > --
> > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
> > > Inovis Inc.
> > >  
> > > 
> > > > -Original Message-
> > > > From: joe [mailto:[EMAIL PROTECTED]
> > > > Sent: Thursday, April 22, 2004 9:40 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > > 
> > > > Roger, you are just mad because you were typing up the same
> > > note and I
> > > > typed it and sent it out faster...
> > > > 
> > > > Oh well I have to get back to unburying myself. Just came
> > > in to spot
> > > > check to see what you all were saying behind my back...
> > > > 
> > > > I should be back hard core in a week or two. In the
> meanwhile I am
> > > > digging out of email and work issues and also during an
> EMC issue
> > > > I was looking at I think I figured out something else cool to
> > > put into
> > > > adfind...
> > > > We shall see. 
> > > > 
> > > >   joe
> > > >  
> > > > 
> > > > -Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > > Seielstad
> > > > Sent: Thursday, April 22, 2004 9:27 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > > 
> > > > Please - we're trying to not encourage him... ;)
> > > > 
> >

RE: [ActiveDir] User to InetOrgPerson Class

2004-05-06 Thread Roger Seielstad 
That's long since happened, my friend.

The particular distro I was installing was Redhat 7.1[1], which is required
for one of our soon to be legacy products...

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.

[1] Yeah - so what if it hasn't been supported in years?
 

> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, May 04, 2004 11:19 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> Agreed. As Linux tries to become more and more mainstream you 
> will most
> likely have dists that bloat more and more in terms of what 
> is dropped on
> the disk by default.
> 
>   joe 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Sean
> Sent: Tuesday, May 04, 2004 10:40 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> Of course that does tend to be distribution specific ;)
> 
> On Mon, 2004-05-03 at 09:40, Roger Seielstad wrote:
> > Actually, close.
> > 
> > Apparently, a "base" install of Linux doesn't include things like 
> > ping, traceroute, ssh, nor much else in the way of basic tools.
> > 
> > Roger
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> >  
> > 
> > > -Original Message-
> > > From: joe [mailto:[EMAIL PROTECTED]
> > > Sent: Sunday, May 02, 2004 11:17 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > 
> > > Driver error. Recompile kernel 
> > > 
> > >  
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > Seielstad
> > > Sent: Thursday, April 22, 2004 10:42 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > 
> > > Um, yeah. That's right.
> > > 
> > > If I wasn't spending all day yesterday trying to fix a 
> Linux box, I 
> > > would have definitely written the same thing.
> > > 
> > > --
> > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
> > > Inovis Inc.
> > >  
> > > 
> > > > -Original Message-
> > > > From: joe [mailto:[EMAIL PROTECTED]
> > > > Sent: Thursday, April 22, 2004 9:40 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > > 
> > > > Roger, you are just mad because you were typing up the same
> > > note and I
> > > > typed it and sent it out faster...
> > > > 
> > > > Oh well I have to get back to unburying myself. Just came
> > > in to spot
> > > > check to see what you all were saying behind my back...
> > > > 
> > > > I should be back hard core in a week or two. In the 
> meanwhile I am 
> > > > digging out of email and work issues and also during an 
> EMC issue 
> > > > I was looking at I think I figured out something else cool to
> > > put into
> > > > adfind...
> > > > We shall see. 
> > > > 
> > > >   joe
> > > >  
> > > > 
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > > Seielstad
> > > > Sent: Thursday, April 22, 2004 9:27 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > > 
> > > > Please - we're trying to not encourage him... ;)
> > > > 
> > > > Roger
> > > > --
> > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
> > > > Inovis Inc.
> > > >  
> > > > 
> > > > > -Original Message-
> > > > > From: Jerry Welch [mailto:[EMAIL PROTECTED]
> > > > > Sent: Thursday, April 22, 2004 9:14 AM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > > > 
> > > > > GO JOE

RE: [ActiveDir] User to InetOrgPerson Class

2004-05-05 Thread joe 
Agreed. As Linux tries to become more and more mainstream you will most
likely have dists that bloat more and more in terms of what is dropped on
the disk by default.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sean
Sent: Tuesday, May 04, 2004 10:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class

Of course that does tend to be distribution specific ;)

On Mon, 2004-05-03 at 09:40, Roger Seielstad wrote:
> Actually, close.
> 
> Apparently, a "base" install of Linux doesn't include things like 
> ping, traceroute, ssh, nor much else in the way of basic tools.
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED]
> > Sent: Sunday, May 02, 2004 11:17 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > 
> > Driver error. Recompile kernel 
> > 
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > Seielstad
> > Sent: Thursday, April 22, 2004 10:42 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > 
> > Um, yeah. That's right.
> > 
> > If I wasn't spending all day yesterday trying to fix a Linux box, I 
> > would have definitely written the same thing.
> > 
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
> > Inovis Inc.
> >  
> > 
> > > -Original Message-
> > > From: joe [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, April 22, 2004 9:40 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > 
> > > Roger, you are just mad because you were typing up the same
> > note and I
> > > typed it and sent it out faster...
> > > 
> > > Oh well I have to get back to unburying myself. Just came
> > in to spot
> > > check to see what you all were saying behind my back...
> > > 
> > > I should be back hard core in a week or two. In the meanwhile I am 
> > > digging out of email and work issues and also during an EMC issue 
> > > I was looking at I think I figured out something else cool to
> > put into
> > > adfind...
> > > We shall see. 
> > > 
> > >   joe
> > >  
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > Seielstad
> > > Sent: Thursday, April 22, 2004 9:27 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > 
> > > Please - we're trying to not encourage him... ;)
> > > 
> > > Roger
> > > --
> > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
> > > Inovis Inc.
> > >  
> > > 
> > > > -----Original Message-----
> > > > From: Jerry Welch [mailto:[EMAIL PROTECTED]
> > > > Sent: Thursday, April 22, 2004 9:14 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > > 
> > > > GO JOE !!
> > > > 
> > > > Jerry Welch
> > > > CPS Systems
> > > > US/Canada: 888-666-0277
> > > > International: +1 703 827 0919 (-5 GMT)
> > > > 
> > > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] Behalf Of joe
> > > > Sent: Thursday, April 22, 2004 9:11 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > > 
> > > > 
> > > > We aren't even considering converting or making our 200k+
> > > user objects
> > > > inetorgperson objects.  We have had no requirement to do
> > so and if
> > > > someone came forth with one at this point we would ask why their 
> > > > product wasn't written to be flexible enough to account
> > for the de
> > > > facto most popular LDAP server out there.
> > > > 
> > > > LDAP is a pretty flexi

RE: [ActiveDir] User to InetOrgPerson Class

2004-05-04 Thread Sean 
Of course that does tend to be distribution specific ;)

On Mon, 2004-05-03 at 09:40, Roger Seielstad wrote:
> Actually, close.
> 
> Apparently, a "base" install of Linux doesn't include things like ping,
> traceroute, ssh, nor much else in the way of basic tools.
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED] 
> > Sent: Sunday, May 02, 2004 11:17 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > 
> > Driver error. Recompile kernel 
> > 
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Roger Seielstad
> > Sent: Thursday, April 22, 2004 10:42 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > 
> > Um, yeah. That's right.
> > 
> > If I wasn't spending all day yesterday trying to fix a Linux 
> > box, I would
> > have definitely written the same thing.
> > 
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> >  
> > 
> > > -Original Message-
> > > From: joe [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, April 22, 2004 9:40 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > 
> > > Roger, you are just mad because you were typing up the same 
> > note and I 
> > > typed it and sent it out faster...
> > > 
> > > Oh well I have to get back to unburying myself. Just came 
> > in to spot 
> > > check to see what you all were saying behind my back...
> > > 
> > > I should be back hard core in a week or two. In the meanwhile I am 
> > > digging out of email and work issues and also during an EMC issue I 
> > > was looking at I think I figured out something else cool to 
> > put into 
> > > adfind...
> > > We shall see. 
> > > 
> > >   joe
> > >  
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > Seielstad
> > > Sent: Thursday, April 22, 2004 9:27 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > 
> > > Please - we're trying to not encourage him... ;)
> > > 
> > > Roger
> > > --
> > > Roger D. Seielstad - MTS MCSE MS-MVP
> > > Sr. Systems Administrator
> > > Inovis Inc.
> > >  
> > > 
> > > > -----Original Message-
> > > > From: Jerry Welch [mailto:[EMAIL PROTECTED]
> > > > Sent: Thursday, April 22, 2004 9:14 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > > 
> > > > GO JOE !!
> > > > 
> > > > Jerry Welch
> > > > CPS Systems
> > > > US/Canada: 888-666-0277
> > > > International: +1 703 827 0919 (-5 GMT)
> > > > 
> > > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] Behalf Of joe
> > > > Sent: Thursday, April 22, 2004 9:11 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > > 
> > > > 
> > > > We aren't even considering converting or making our 200k+
> > > user objects
> > > > inetorgperson objects.  We have had no requirement to do 
> > so and if 
> > > > someone came forth with one at this point we would ask why their 
> > > > product wasn't written to be flexible enough to account 
> > for the de 
> > > > facto most popular LDAP server out there.
> > > > 
> > > > LDAP is a pretty flexible system yet you get vendors coming
> > > along hard
> > > > coding dependencies in on their own and try to make the 
> > directories 
> > > > fit their apps, this is obviously not correct. Vendors (including
> > > > Microsoft)
> > > > take note, if you are using LDAP for anythi

RE: [ActiveDir] User to InetOrgPerson Class

2004-05-03 Thread Roger Seielstad 
Actually, close.

Apparently, a "base" install of Linux doesn't include things like ping,
traceroute, ssh, nor much else in the way of basic tools.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED] 
> Sent: Sunday, May 02, 2004 11:17 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> Driver error. Recompile kernel 
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Thursday, April 22, 2004 10:42 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> Um, yeah. That's right.
> 
> If I wasn't spending all day yesterday trying to fix a Linux 
> box, I would
> have definitely written the same thing.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, April 22, 2004 9:40 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > 
> > Roger, you are just mad because you were typing up the same 
> note and I 
> > typed it and sent it out faster...
> > 
> > Oh well I have to get back to unburying myself. Just came 
> in to spot 
> > check to see what you all were saying behind my back...
> > 
> > I should be back hard core in a week or two. In the meanwhile I am 
> > digging out of email and work issues and also during an EMC issue I 
> > was looking at I think I figured out something else cool to 
> put into 
> > adfind...
> > We shall see. 
> > 
> >   joe
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > Seielstad
> > Sent: Thursday, April 22, 2004 9:27 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > 
> > Please - we're trying to not encourage him... ;)
> > 
> > Roger
> > ------------------
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> >  
> > 
> > > -Original Message-
> > > From: Jerry Welch [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, April 22, 2004 9:14 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > 
> > > GO JOE !!
> > > 
> > > Jerry Welch
> > > CPS Systems
> > > US/Canada: 888-666-0277
> > > International: +1 703 827 0919 (-5 GMT)
> > > 
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] Behalf Of joe
> > > Sent: Thursday, April 22, 2004 9:11 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > > 
> > > 
> > > We aren't even considering converting or making our 200k+
> > user objects
> > > inetorgperson objects.  We have had no requirement to do 
> so and if 
> > > someone came forth with one at this point we would ask why their 
> > > product wasn't written to be flexible enough to account 
> for the de 
> > > facto most popular LDAP server out there.
> > > 
> > > LDAP is a pretty flexible system yet you get vendors coming
> > along hard
> > > coding dependencies in on their own and try to make the 
> directories 
> > > fit their apps, this is obviously not correct. Vendors (including
> > > Microsoft)
> > > take note, if you are using LDAP for anything, make your 
> > > attributes/objects required mappable. Saying someone has 
> to have an 
> > > attribute with a certain name or an object with a certain name or 
> > > class is not flexible and you can do better.
> > > 
> > > LDAP is extensible and people do do things sometimes 
> before Vendors 
> > > write code to do the same things. Most Vendors aren't
> > coming up with
> > > cool new things no one else never thought up, they are just
> > polishing,
> > > implementing, and trying to sell the solutions as ready
> > made. I, for
> > > instance, may have at some point put UIDs into an 
>

RE: [ActiveDir] User to InetOrgPerson Class

2004-05-02 Thread joe 
Driver error. Recompile kernel 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, April 22, 2004 10:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class

Um, yeah. That's right.

If I wasn't spending all day yesterday trying to fix a Linux box, I would
have definitely written the same thing.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED]
> Sent: Thursday, April 22, 2004 9:40 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> Roger, you are just mad because you were typing up the same note and I 
> typed it and sent it out faster...
> 
> Oh well I have to get back to unburying myself. Just came in to spot 
> check to see what you all were saying behind my back...
> 
> I should be back hard core in a week or two. In the meanwhile I am 
> digging out of email and work issues and also during an EMC issue I 
> was looking at I think I figured out something else cool to put into 
> adfind...
> We shall see. 
> 
>   joe
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> Seielstad
> Sent: Thursday, April 22, 2004 9:27 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> Please - we're trying to not encourage him... ;)
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-----
> > From: Jerry Welch [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, April 22, 2004 9:14 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > 
> > GO JOE !!
> > 
> > Jerry Welch
> > CPS Systems
> > US/Canada: 888-666-0277
> > International: +1 703 827 0919 (-5 GMT)
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of joe
> > Sent: Thursday, April 22, 2004 9:11 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > 
> > 
> > We aren't even considering converting or making our 200k+
> user objects
> > inetorgperson objects.  We have had no requirement to do so and if 
> > someone came forth with one at this point we would ask why their 
> > product wasn't written to be flexible enough to account for the de 
> > facto most popular LDAP server out there.
> > 
> > LDAP is a pretty flexible system yet you get vendors coming
> along hard
> > coding dependencies in on their own and try to make the directories 
> > fit their apps, this is obviously not correct. Vendors (including
> > Microsoft)
> > take note, if you are using LDAP for anything, make your 
> > attributes/objects required mappable. Saying someone has to have an 
> > attribute with a certain name or an object with a certain name or 
> > class is not flexible and you can do better.
> > 
> > LDAP is extensible and people do do things sometimes before Vendors 
> > write code to do the same things. Most Vendors aren't
> coming up with
> > cool new things no one else never thought up, they are just
> polishing,
> > implementing, and trying to sell the solutions as ready
> made. I, for
> > instance, may have at some point put UIDs into an attribute called 
> > BobToy. Does it make sense, maybe not to you, maybe to me
> it makes all
> > the sense in the world. You coming in saying I have to use
> something
> > else means I have to change all of my stuff, repopulate the fields, 
> > possibly schema extend for you, probably do syncing (or
> rewriting) for
> > now on because I am probably already using that attribute -
> how rude
> > and pretentious of you as a vendor. Ditto for
> objectclassing for what
> > objects I want to use for various things.
> > 
> > Again, LDAP is extensible, AD very easily so. Schemas are easy to 
> > modify and have data populated. As a vendor, don't sit back
> and think
> > you are the only one that needs to use certain data and that it 
> > wouldn't be there already unless your app was there. From the start 
> > define the data that you need but don't assume the data
> isn't there in
> > an attribute already.
> > Actually assume
> > it is and you just have to use it. Then onc

RE: [ActiveDir] User to InetOrgPerson Class

2004-05-02 Thread joe 
If you weren't the size of a Giant Redwood tree I would take offense to that
therapy comment. ;o)

Instead my response is simply Yes sir, it is working.  =)

Now that some of you folks know what I look like and actual pictures exist,
I have to be nicer... Welcome to the nicer kinder gentler joe...


Heh. Yeah right.

   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, April 22, 2004 10:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class

Or Universal Groups!

Apparently the therapy is working

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Michael B. Smith [mailto:[EMAIL PROTECTED]
> Sent: Thursday, April 22, 2004 9:31 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> And you didn't even mention the "E" word! :-)
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, April 22, 2004 9:11 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> We aren't even considering converting or making our 200k+ user objects 
> inetorgperson objects.  We have had no requirement to do so and if 
> someone came forth with one at this point we would ask why their 
> product wasn't written to be flexible enough to account for the de 
> facto most popular LDAP server out there.
> 
> LDAP is a pretty flexible system yet you get vendors coming along hard 
> coding dependencies in on their own and try to make the directories 
> fit their apps, this is obviously not correct. Vendors (including 
> Microsoft) take note, if you are using LDAP for anything, make your 
> attributes/objects required mappable. Saying someone has to have an 
> attribute with a certain name or an object with a certain name or 
> class is not flexible and you can do better.
> 
> LDAP is extensible and people do do things sometimes before Vendors 
> write code to do the same things. Most Vendors aren't coming up with 
> cool new things no one else never thought up, they are just polishing, 
> implementing, and trying to sell the solutions as ready made. I, for 
> instance, may have at some point put UIDs into an attribute called 
> BobToy. Does it make sense, maybe not to you, maybe to me it makes all 
> the sense in the world. You coming in saying I have to use something 
> else means I have to change all of my stuff, repopulate the fields, 
> possibly schema extend for you, probably do syncing (or rewriting) for 
> now on because I am probably already using that attribute - how rude 
> and pretentious of you as a vendor.
> Ditto for objectclassing for what objects I want to use for various 
> things.
> 
> Again, LDAP is extensible, AD very easily so. Schemas are easy to 
> modify and have data populated. As a vendor, don't sit back and think 
> you are the only one that needs to use certain data and that it 
> wouldn't be there already unless your app was there. From the start 
> define the data that you need but don't assume the data isn't there in 
> an attribute already. Actually assume it is and you just have to use 
> it.
> Then once you have accomplished that by making your app flexible in 
> how it gathers data from the directory, define the schema 
> addons/changes someone may need with a raw schema that they haven't 
> done any extensions to. As we get further along into using LDAP I 
> think you will find that methodology fundamentally better for your 
> sales. Is it harder? Yes. But if it were easy everyone would be doing 
> it already.
> 
> Oh to add one final thing, don't assume where in the directory the 
> object is either Saying groups have to be in one certain OU or 
> container or things break is just plain silly. You know who you are.
> 
> Oh, one other final thing... MS LDAP Servers have this great ability 
> to not require the FULL DN of an object for a bind...
> You can use domain\userid or [EMAIL PROTECTED] (i.e. 
> [EMAIL PROTECTED]). Use it. This way when someone moves your bind ID 
> (because they can), your application doesn't go down in flames with 
> your help desk standing there going, h, we have no idea why our 
> application can't authenticate Mr. X.
> Not only use it, but put it in your documentation... Even if you say 
> something like Well you know, our own Directory Server is far 
> superior to the MS one, however, if you do use the MS one, they have 
> this cool feature we can't touch (and frankly don't need to because we 
>

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-22 Thread Roger Seielstad 
Um, yeah. That's right.

If I wasn't spending all day yesterday trying to fix a Linux box, I would
have definitely written the same thing.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 22, 2004 9:40 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> Roger, you are just mad because you were typing up the same 
> note and I typed
> it and sent it out faster...
> 
> Oh well I have to get back to unburying myself. Just came in 
> to spot check
> to see what you all were saying behind my back... 
> 
> I should be back hard core in a week or two. In the meanwhile 
> I am digging
> out of email and work issues and also during an EMC issue I 
> was looking at I
> think I figured out something else cool to put into adfind... 
> We shall see. 
> 
>   joe
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Thursday, April 22, 2004 9:27 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> Please - we're trying to not encourage him... ;)
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: Jerry Welch [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, April 22, 2004 9:14 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > 
> > GO JOE !!
> > 
> > Jerry Welch
> > CPS Systems
> > US/Canada: 888-666-0277
> > International: +1 703 827 0919 (-5 GMT)
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of joe
> > Sent: Thursday, April 22, 2004 9:11 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] User to InetOrgPerson Class
> > 
> > 
> > We aren't even considering converting or making our 200k+ 
> user objects 
> > inetorgperson objects.  We have had no requirement to do so and if 
> > someone came forth with one at this point we would ask why their 
> > product wasn't written to be flexible enough to account for the de 
> > facto most popular LDAP server out there.
> > 
> > LDAP is a pretty flexible system yet you get vendors coming 
> along hard 
> > coding dependencies in on their own and try to make the directories 
> > fit their apps, this is obviously not correct. Vendors (including
> > Microsoft)
> > take note, if you are using LDAP for anything, make your 
> > attributes/objects required mappable. Saying someone has to have an 
> > attribute with a certain name or an object with a certain name or 
> > class is not flexible and you can do better.
> > 
> > LDAP is extensible and people do do things sometimes before Vendors 
> > write code to do the same things. Most Vendors aren't 
> coming up with 
> > cool new things no one else never thought up, they are just 
> polishing, 
> > implementing, and trying to sell the solutions as ready 
> made. I, for 
> > instance, may have at some point put UIDs into an attribute called 
> > BobToy. Does it make sense, maybe not to you, maybe to me 
> it makes all 
> > the sense in the world. You coming in saying I have to use 
> something 
> > else means I have to change all of my stuff, repopulate the fields, 
> > possibly schema extend for you, probably do syncing (or 
> rewriting) for 
> > now on because I am probably already using that attribute - 
> how rude 
> > and pretentious of you as a vendor. Ditto for 
> objectclassing for what 
> > objects I want to use for various things.
> > 
> > Again, LDAP is extensible, AD very easily so. Schemas are easy to 
> > modify and have data populated. As a vendor, don't sit back 
> and think 
> > you are the only one that needs to use certain data and that it 
> > wouldn't be there already unless your app was there. From the start 
> > define the data that you need but don't assume the data 
> isn't there in 
> > an attribute already.
> > Actually assume
> > it is and you just have to use it. Then once you have accomplished 
> > that by making your app flexible in how it gathers data from the 
> > directory, define the schema addons/changes someone may need with a 
> > raw schema that they haven

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-22 Thread Roger Seielstad 
Or Universal Groups!

Apparently the therapy is working

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Michael B. Smith [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 22, 2004 9:31 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> And you didn't even mention the "E" word! :-) 
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, April 22, 2004 9:11 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> We aren't even considering converting or making our 200k+ 
> user objects inetorgperson objects.  We have had no 
> requirement to do so and if someone came forth with one at 
> this point we would ask why their product wasn't written to 
> be flexible enough to account for the de facto most popular 
> LDAP server out there. 
> 
> LDAP is a pretty flexible system yet you get vendors coming 
> along hard coding dependencies in on their own and try to 
> make the directories fit their apps, this is obviously not 
> correct. Vendors (including Microsoft) take note, if you are 
> using LDAP for anything, make your attributes/objects 
> required mappable. Saying someone has to have an attribute 
> with a certain name or an object with a certain name or class 
> is not flexible and you can do better. 
> 
> LDAP is extensible and people do do things sometimes before 
> Vendors write code to do the same things. Most Vendors aren't 
> coming up with cool new things no one else never thought up, 
> they are just polishing, implementing, and trying to sell the 
> solutions as ready made. I, for instance, may have at some 
> point put UIDs into an attribute called BobToy. Does it make 
> sense, maybe not to you, maybe to me it makes all the sense 
> in the world. You coming in saying I have to use something 
> else means I have to change all of my stuff, repopulate the 
> fields, possibly schema extend for you, probably do syncing 
> (or rewriting) for now on because I am probably already using 
> that attribute - how rude and pretentious of you as a vendor. 
> Ditto for objectclassing for what objects I want to use for 
> various things. 
> 
> Again, LDAP is extensible, AD very easily so. Schemas are 
> easy to modify and have data populated. As a vendor, don't 
> sit back and think you are the only one that needs to use 
> certain data and that it wouldn't be there already unless 
> your app was there. From the start define the data that you 
> need but don't assume the data isn't there in an attribute 
> already. Actually assume it is and you just have to use it. 
> Then once you have accomplished that by making your app 
> flexible in how it gathers data from the directory, define 
> the schema addons/changes someone may need with a raw schema 
> that they haven't done any extensions to. As we get further 
> along into using LDAP I think you will find that methodology 
> fundamentally better for your sales. Is it harder? Yes. But 
> if it were easy everyone would be doing it already.
> 
> Oh to add one final thing, don't assume where in the 
> directory the object is either Saying groups have to be 
> in one certain OU or container or things break is just plain 
> silly. You know who you are. 
> 
> Oh, one other final thing... MS LDAP Servers have this great 
> ability to not require the FULL DN of an object for a bind... 
> You can use domain\userid or [EMAIL PROTECTED] (i.e. 
> [EMAIL PROTECTED]). Use it. This way when someone moves your 
> bind ID (because they can), your application doesn't go down 
> in flames with your help desk standing there going, h, we 
> have no idea why our application can't authenticate Mr. X. 
> Not only use it, but put it in your documentation... Even if 
> you say something like Well you know, our own Directory 
> Server is far superior to the MS one, however, if you do use 
> the MS one, they have this cool feature we can't touch (and 
> frankly don't need to because we don't have the flexibility 
> required to need this additional flexibility) that allows you 
> to not hardcode the DN of the bind ID. Yes, yes, that is 
> pretty cool, so use it if you find yourself on that directory. 
> 
> Oh, and one last last final thing which is one major thing 
> for MS before I close Document the default schema and the 
> schema mods you make for your apps completely. Put in 
> dependency information. I have asked for this multiple times 
> and hear, that wou

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-22 Thread joe 
Roger, you are just mad because you were typing up the same note and I typed
it and sent it out faster...

Oh well I have to get back to unburying myself. Just came in to spot check
to see what you all were saying behind my back... 

I should be back hard core in a week or two. In the meanwhile I am digging
out of email and work issues and also during an EMC issue I was looking at I
think I figured out something else cool to put into adfind... We shall see. 

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, April 22, 2004 9:27 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class

Please - we're trying to not encourage him... ;)

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Jerry Welch [mailto:[EMAIL PROTECTED]
> Sent: Thursday, April 22, 2004 9:14 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> GO JOE !!
> 
> Jerry Welch
> CPS Systems
> US/Canada: 888-666-0277
> International: +1 703 827 0919 (-5 GMT)
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of joe
> Sent: Thursday, April 22, 2004 9:11 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> 
> We aren't even considering converting or making our 200k+ user objects 
> inetorgperson objects.  We have had no requirement to do so and if 
> someone came forth with one at this point we would ask why their 
> product wasn't written to be flexible enough to account for the de 
> facto most popular LDAP server out there.
> 
> LDAP is a pretty flexible system yet you get vendors coming along hard 
> coding dependencies in on their own and try to make the directories 
> fit their apps, this is obviously not correct. Vendors (including
> Microsoft)
> take note, if you are using LDAP for anything, make your 
> attributes/objects required mappable. Saying someone has to have an 
> attribute with a certain name or an object with a certain name or 
> class is not flexible and you can do better.
> 
> LDAP is extensible and people do do things sometimes before Vendors 
> write code to do the same things. Most Vendors aren't coming up with 
> cool new things no one else never thought up, they are just polishing, 
> implementing, and trying to sell the solutions as ready made. I, for 
> instance, may have at some point put UIDs into an attribute called 
> BobToy. Does it make sense, maybe not to you, maybe to me it makes all 
> the sense in the world. You coming in saying I have to use something 
> else means I have to change all of my stuff, repopulate the fields, 
> possibly schema extend for you, probably do syncing (or rewriting) for 
> now on because I am probably already using that attribute - how rude 
> and pretentious of you as a vendor. Ditto for objectclassing for what 
> objects I want to use for various things.
> 
> Again, LDAP is extensible, AD very easily so. Schemas are easy to 
> modify and have data populated. As a vendor, don't sit back and think 
> you are the only one that needs to use certain data and that it 
> wouldn't be there already unless your app was there. From the start 
> define the data that you need but don't assume the data isn't there in 
> an attribute already.
> Actually assume
> it is and you just have to use it. Then once you have accomplished 
> that by making your app flexible in how it gathers data from the 
> directory, define the schema addons/changes someone may need with a 
> raw schema that they haven't done any extensions to. As we get further 
> along into using LDAP I think you will find that methodology 
> fundamentally better for your sales. Is it harder? Yes. But if it were 
> easy everyone would be doing it already.
> 
> Oh to add one final thing, don't assume where in the directory the 
> object is either Saying groups have to be in one certain OU or 
> container or things break is just plain silly. You know who you are.
> 
> Oh, one other final thing... MS LDAP Servers have this great ability 
> to not require the FULL DN of an object for a bind... You can use 
> domain\userid or [EMAIL PROTECTED] (i.e. [EMAIL PROTECTED]). Use it. 
> This way when someone moves your bind ID (because they can), your 
> application doesn't go down in flames with your help desk standing 
> there going, h, we have no idea why our application can't 
> authenticate Mr. X. Not only use it, but put it in your 
> documentation... Even if you say something like Well you know, our 
&g

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-22 Thread joe 
Didn't need to if you are running it, though I did dedicate an entire
paragraph to it :o)

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, April 22, 2004 9:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class

And you didn't even mention the "E" word! :-) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, April 22, 2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class

We aren't even considering converting or making our 200k+ user objects
inetorgperson objects.  We have had no requirement to do so and if someone
came forth with one at this point we would ask why their product wasn't
written to be flexible enough to account for the de facto most popular LDAP
server out there. 

LDAP is a pretty flexible system yet you get vendors coming along hard
coding dependencies in on their own and try to make the directories fit
their apps, this is obviously not correct. Vendors (including Microsoft)
take note, if you are using LDAP for anything, make your attributes/objects
required mappable. Saying someone has to have an attribute with a certain
name or an object with a certain name or class is not flexible and you can
do better. 

LDAP is extensible and people do do things sometimes before Vendors write
code to do the same things. Most Vendors aren't coming up with cool new
things no one else never thought up, they are just polishing, implementing,
and trying to sell the solutions as ready made. I, for instance, may have at
some point put UIDs into an attribute called BobToy. Does it make sense,
maybe not to you, maybe to me it makes all the sense in the world. You
coming in saying I have to use something else means I have to change all of
my stuff, repopulate the fields, possibly schema extend for you, probably do
syncing (or rewriting) for now on because I am probably already using that
attribute - how rude and pretentious of you as a vendor. Ditto for
objectclassing for what objects I want to use for various things. 

Again, LDAP is extensible, AD very easily so. Schemas are easy to modify and
have data populated. As a vendor, don't sit back and think you are the only
one that needs to use certain data and that it wouldn't be there already
unless your app was there. From the start define the data that you need but
don't assume the data isn't there in an attribute already. Actually assume
it is and you just have to use it. Then once you have accomplished that by
making your app flexible in how it gathers data from the directory, define
the schema addons/changes someone may need with a raw schema that they
haven't done any extensions to. As we get further along into using LDAP I
think you will find that methodology fundamentally better for your sales. Is
it harder? Yes. But if it were easy everyone would be doing it already.

Oh to add one final thing, don't assume where in the directory the object is
either Saying groups have to be in one certain OU or container or things
break is just plain silly. You know who you are. 

Oh, one other final thing... MS LDAP Servers have this great ability to not
require the FULL DN of an object for a bind... You can use domain\userid or
[EMAIL PROTECTED] (i.e. [EMAIL PROTECTED]). Use it. This way when someone
moves your bind ID (because they can), your application doesn't go down in
flames with your help desk standing there going, h, we have no idea why
our application can't authenticate Mr. X. Not only use it, but put it in
your documentation... Even if you say something like Well you know, our
own Directory Server is far superior to the MS one, however, if you do use
the MS one, they have this cool feature we can't touch (and frankly don't
need to because we don't have the flexibility required to need this
additional flexibility) that allows you to not hardcode the DN of the bind
ID. Yes, yes, that is pretty cool, so use it if you find yourself on that
directory. 

Oh, and one last last final thing which is one major thing for MS before I
close Document the default schema and the schema mods you make for your
apps completely. Put in dependency information. I have asked for this
multiple times and hear, that would be impossible, do you know all of the
interconnections blah blah blah. Sure... But you guys figure out new items
one at a time. Document them then. In the meanwhile, go clean up as it
doesn't appear you even kjnow what is out there or what it should be. Every
attribute should be documented in terms of what it is used for, what
subsystems use it (dependencies), what the valid range of values are, if you
ever intend to use it and what time frame if so (logoffTime,
operatingSystemHotfix, etc). This would be helpful to your own people let
alone everyone trying

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-22 Thread Michael B. Smith 
And you didn't even mention the "E" word! :-) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, April 22, 2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class

We aren't even considering converting or making our 200k+ user objects inetorgperson 
objects.  We have had no requirement to do so and if someone came forth with one at 
this point we would ask why their product wasn't written to be flexible enough to 
account for the de facto most popular LDAP server out there. 

LDAP is a pretty flexible system yet you get vendors coming along hard coding 
dependencies in on their own and try to make the directories fit their apps, this is 
obviously not correct. Vendors (including Microsoft) take note, if you are using LDAP 
for anything, make your attributes/objects required mappable. Saying someone has to 
have an attribute with a certain name or an object with a certain name or class is not 
flexible and you can do better. 

LDAP is extensible and people do do things sometimes before Vendors write code to do 
the same things. Most Vendors aren't coming up with cool new things no one else never 
thought up, they are just polishing, implementing, and trying to sell the solutions as 
ready made. I, for instance, may have at some point put UIDs into an attribute called 
BobToy. Does it make sense, maybe not to you, maybe to me it makes all the sense in 
the world. You coming in saying I have to use something else means I have to change 
all of my stuff, repopulate the fields, possibly schema extend for you, probably do 
syncing (or rewriting) for now on because I am probably already using that attribute - 
how rude and pretentious of you as a vendor. Ditto for objectclassing for what objects 
I want to use for various things. 

Again, LDAP is extensible, AD very easily so. Schemas are easy to modify and have data 
populated. As a vendor, don't sit back and think you are the only one that needs to 
use certain data and that it wouldn't be there already unless your app was there. From 
the start define the data that you need but don't assume the data isn't there in an 
attribute already. Actually assume it is and you just have to use it. Then once you 
have accomplished that by making your app flexible in how it gathers data from the 
directory, define the schema addons/changes someone may need with a raw schema that 
they haven't done any extensions to. As we get further along into using LDAP I think 
you will find that methodology fundamentally better for your sales. Is it harder? Yes. 
But if it were easy everyone would be doing it already.

Oh to add one final thing, don't assume where in the directory the object is 
either Saying groups have to be in one certain OU or container or things break is 
just plain silly. You know who you are. 

Oh, one other final thing... MS LDAP Servers have this great ability to not require 
the FULL DN of an object for a bind... You can use domain\userid or [EMAIL PROTECTED] 
(i.e. [EMAIL PROTECTED]). Use it. This way when someone moves your bind ID (because 
they can), your application doesn't go down in flames with your help desk standing 
there going, h, we have no idea why our application can't authenticate Mr. X. Not 
only use it, but put it in your documentation... Even if you say something like 
Well you know, our own Directory Server is far superior to the MS one, however, if you 
do use the MS one, they have this cool feature we can't touch (and frankly don't need 
to because we don't have the flexibility required to need this additional flexibility) 
that allows you to not hardcode the DN of the bind ID. Yes, yes, that is pretty cool, 
so use it if you find yourself on that directory. 

Oh, and one last last final thing which is one major thing for MS before I close 
Document the default schema and the schema mods you make for your apps completely. Put 
in dependency information. I have asked for this multiple times and hear, that would 
be impossible, do you know all of the interconnections blah blah blah. Sure... But you 
guys figure out new items one at a time. Document them then. In the meanwhile, go 
clean up as it doesn't appear you even kjnow what is out there or what it should be. 
Every attribute should be documented in terms of what it is used for, what subsystems 
use it (dependencies), what the valid range of values are, if you ever intend to use 
it and what time frame if so (logoffTime, operatingSystemHotfix, etc). This would be 
helpful to your own people let alone everyone trying to use your product. I have had 
more than one bluescreen or stopped replication because of bad data in the directory 
and the fun thing is I have no way in the world to know if data is good or not because 
I have no clue what is supposed to be valid for the fields. 

   joe

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-22 Thread Roger Seielstad 
Please - we're trying to not encourage him... ;)

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Jerry Welch [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 22, 2004 9:14 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> GO JOE !!
> 
> Jerry Welch
> CPS Systems
> US/Canada: 888-666-0277
> International: +1 703 827 0919 (-5 GMT)
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of joe
> Sent: Thursday, April 22, 2004 9:11 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] User to InetOrgPerson Class
> 
> 
> We aren't even considering converting or making our 200k+ user objects
> inetorgperson objects.  We have had no requirement to do so 
> and if someone
> came forth with one at this point we would ask why their 
> product wasn't
> written to be flexible enough to account for the de facto 
> most popular LDAP
> server out there.
> 
> LDAP is a pretty flexible system yet you get vendors coming along hard
> coding dependencies in on their own and try to make the 
> directories fit
> their apps, this is obviously not correct. Vendors (including 
> Microsoft)
> take note, if you are using LDAP for anything, make your 
> attributes/objects
> required mappable. Saying someone has to have an attribute 
> with a certain
> name or an object with a certain name or class is not 
> flexible and you can
> do better.
> 
> LDAP is extensible and people do do things sometimes before 
> Vendors write
> code to do the same things. Most Vendors aren't coming up 
> with cool new
> things no one else never thought up, they are just polishing, 
> implementing,
> and trying to sell the solutions as ready made. I, for 
> instance, may have at
> some point put UIDs into an attribute called BobToy. Does it 
> make sense,
> maybe not to you, maybe to me it makes all the sense in the world. You
> coming in saying I have to use something else means I have to 
> change all of
> my stuff, repopulate the fields, possibly schema extend for 
> you, probably do
> syncing (or rewriting) for now on because I am probably 
> already using that
> attribute - how rude and pretentious of you as a vendor. Ditto for
> objectclassing for what objects I want to use for various things.
> 
> Again, LDAP is extensible, AD very easily so. Schemas are 
> easy to modify and
> have data populated. As a vendor, don't sit back and think 
> you are the only
> one that needs to use certain data and that it wouldn't be 
> there already
> unless your app was there. From the start define the data 
> that you need but
> don't assume the data isn't there in an attribute already. 
> Actually assume
> it is and you just have to use it. Then once you have 
> accomplished that by
> making your app flexible in how it gathers data from the 
> directory, define
> the schema addons/changes someone may need with a raw schema that they
> haven't done any extensions to. As we get further along into 
> using LDAP I
> think you will find that methodology fundamentally better for 
> your sales. Is
> it harder? Yes. But if it were easy everyone would be doing 
> it already.
> 
> Oh to add one final thing, don't assume where in the 
> directory the object is
> either Saying groups have to be in one certain OU or 
> container or things
> break is just plain silly. You know who you are.
> 
> Oh, one other final thing... MS LDAP Servers have this great 
> ability to not
> require the FULL DN of an object for a bind... You can use 
> domain\userid or
> [EMAIL PROTECTED] (i.e. [EMAIL PROTECTED]). Use it. This way 
> when someone
> moves your bind ID (because they can), your application 
> doesn't go down in
> flames with your help desk standing there going, h, we 
> have no idea why
> our application can't authenticate Mr. X. Not only use it, 
> but put it in
> your documentation... Even if you say something like Well 
> you know, our
> own Directory Server is far superior to the MS one, however, 
> if you do use
> the MS one, they have this cool feature we can't touch (and 
> frankly don't
> need to because we don't have the flexibility required to need this
> additional flexibility) that allows you to not hardcode the 
> DN of the bind
> ID. Yes, yes, that is pretty cool, so use it if you find 
> yourself on that
> directory.
> 
> Oh, and one last last final thing which is one major thing 
> for MS before I
> close...

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-22 Thread Creamer, Mark 
Joe, as usual, your posts are both informative and entertaining. This one gets filed 
for the next time
someone comes to me asking for another half-baked schema extension because the app 
wasn't designed
right in the first place. Should be in the next hour or so if history would predict...


-Original Message-
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 22, 2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class

We aren't even considering converting or making our 200k+ user objects
inetorgperson objects.  We have had no requirement to do so and if someone
came forth with one at this point we would ask why their product wasn't
written to be flexible enough to account for the de facto most popular LDAP
server out there. 

LDAP is a pretty flexible system yet you get vendors coming along hard
coding dependencies in on their own and try to make the directories fit
their apps, this is obviously not correct. Vendors (including Microsoft)
take note, if you are using LDAP for anything, make your attributes/objects
required mappable. Saying someone has to have an attribute with a certain
name or an object with a certain name or class is not flexible and you can
do better. 

LDAP is extensible and people do do things sometimes before Vendors write
code to do the same things. Most Vendors aren't coming up with cool new
things no one else never thought up, they are just polishing, implementing,
and trying to sell the solutions as ready made. I, for instance, may have at
some point put UIDs into an attribute called BobToy. Does it make sense,
maybe not to you, maybe to me it makes all the sense in the world. You
coming in saying I have to use something else means I have to change all of
my stuff, repopulate the fields, possibly schema extend for you, probably do
syncing (or rewriting) for now on because I am probably already using that
attribute - how rude and pretentious of you as a vendor. Ditto for
objectclassing for what objects I want to use for various things. 

Again, LDAP is extensible, AD very easily so. Schemas are easy to modify and
have data populated. As a vendor, don't sit back and think you are the only
one that needs to use certain data and that it wouldn't be there already
unless your app was there. From the start define the data that you need but
don't assume the data isn't there in an attribute already. Actually assume
it is and you just have to use it. Then once you have accomplished that by
making your app flexible in how it gathers data from the directory, define
the schema addons/changes someone may need with a raw schema that they
haven't done any extensions to. As we get further along into using LDAP I
think you will find that methodology fundamentally better for your sales. Is
it harder? Yes. But if it were easy everyone would be doing it already.

Oh to add one final thing, don't assume where in the directory the object is
either Saying groups have to be in one certain OU or container or things
break is just plain silly. You know who you are. 

Oh, one other final thing... MS LDAP Servers have this great ability to not
require the FULL DN of an object for a bind... You can use domain\userid or
[EMAIL PROTECTED] (i.e. [EMAIL PROTECTED]). Use it. This way when someone
moves your bind ID (because they can), your application doesn't go down in
flames with your help desk standing there going, h, we have no idea why
our application can't authenticate Mr. X. Not only use it, but put it in
your documentation... Even if you say something like Well you know, our
own Directory Server is far superior to the MS one, however, if you do use
the MS one, they have this cool feature we can't touch (and frankly don't
need to because we don't have the flexibility required to need this
additional flexibility) that allows you to not hardcode the DN of the bind
ID. Yes, yes, that is pretty cool, so use it if you find yourself on that
directory. 

Oh, and one last last final thing which is one major thing for MS before I
close Document the default schema and the schema mods you make for your
apps completely. Put in dependency information. I have asked for this
multiple times and hear, that would be impossible, do you know all of the
interconnections blah blah blah. Sure... But you guys figure out new items
one at a time. Document them then. In the meanwhile, go clean up as it
doesn't appear you even kjnow what is out there or what it should be. Every
attribute should be documented in terms of what it is used for, what
subsystems use it (dependencies), what the valid range of values are, if you
ever intend to use it and what time frame if so (logoffTime,
operatingSystemHotfix, etc). This would be helpful to your own people let
alone everyone trying to use your product. I have had more than one
bluescreen or stopped replication because of bad data in the director

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-22 Thread Jerry Welch 
GO JOE !!

Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-5 GMT)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Thursday, April 22, 2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class


We aren't even considering converting or making our 200k+ user objects
inetorgperson objects.  We have had no requirement to do so and if someone
came forth with one at this point we would ask why their product wasn't
written to be flexible enough to account for the de facto most popular LDAP
server out there.

LDAP is a pretty flexible system yet you get vendors coming along hard
coding dependencies in on their own and try to make the directories fit
their apps, this is obviously not correct. Vendors (including Microsoft)
take note, if you are using LDAP for anything, make your attributes/objects
required mappable. Saying someone has to have an attribute with a certain
name or an object with a certain name or class is not flexible and you can
do better.

LDAP is extensible and people do do things sometimes before Vendors write
code to do the same things. Most Vendors aren't coming up with cool new
things no one else never thought up, they are just polishing, implementing,
and trying to sell the solutions as ready made. I, for instance, may have at
some point put UIDs into an attribute called BobToy. Does it make sense,
maybe not to you, maybe to me it makes all the sense in the world. You
coming in saying I have to use something else means I have to change all of
my stuff, repopulate the fields, possibly schema extend for you, probably do
syncing (or rewriting) for now on because I am probably already using that
attribute - how rude and pretentious of you as a vendor. Ditto for
objectclassing for what objects I want to use for various things.

Again, LDAP is extensible, AD very easily so. Schemas are easy to modify and
have data populated. As a vendor, don't sit back and think you are the only
one that needs to use certain data and that it wouldn't be there already
unless your app was there. From the start define the data that you need but
don't assume the data isn't there in an attribute already. Actually assume
it is and you just have to use it. Then once you have accomplished that by
making your app flexible in how it gathers data from the directory, define
the schema addons/changes someone may need with a raw schema that they
haven't done any extensions to. As we get further along into using LDAP I
think you will find that methodology fundamentally better for your sales. Is
it harder? Yes. But if it were easy everyone would be doing it already.

Oh to add one final thing, don't assume where in the directory the object is
either Saying groups have to be in one certain OU or container or things
break is just plain silly. You know who you are.

Oh, one other final thing... MS LDAP Servers have this great ability to not
require the FULL DN of an object for a bind... You can use domain\userid or
[EMAIL PROTECTED] (i.e. [EMAIL PROTECTED]). Use it. This way when someone
moves your bind ID (because they can), your application doesn't go down in
flames with your help desk standing there going, h, we have no idea why
our application can't authenticate Mr. X. Not only use it, but put it in
your documentation... Even if you say something like Well you know, our
own Directory Server is far superior to the MS one, however, if you do use
the MS one, they have this cool feature we can't touch (and frankly don't
need to because we don't have the flexibility required to need this
additional flexibility) that allows you to not hardcode the DN of the bind
ID. Yes, yes, that is pretty cool, so use it if you find yourself on that
directory.

Oh, and one last last final thing which is one major thing for MS before I
close Document the default schema and the schema mods you make for your
apps completely. Put in dependency information. I have asked for this
multiple times and hear, that would be impossible, do you know all of the
interconnections blah blah blah. Sure... But you guys figure out new items
one at a time. Document them then. In the meanwhile, go clean up as it
doesn't appear you even kjnow what is out there or what it should be. Every
attribute should be documented in terms of what it is used for, what
subsystems use it (dependencies), what the valid range of values are, if you
ever intend to use it and what time frame if so (logoffTime,
operatingSystemHotfix, etc). This would be helpful to your own people let
alone everyone trying to use your product. I have had more than one
bluescreen or stopped replication because of bad data in the directory and
the fun thing is I have no way in the world to know if data is good or not
because I have no clue what is supposed to be valid for the fields.

   joe



-Original

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-22 Thread joe 
We aren't even considering converting or making our 200k+ user objects
inetorgperson objects.  We have had no requirement to do so and if someone
came forth with one at this point we would ask why their product wasn't
written to be flexible enough to account for the de facto most popular LDAP
server out there. 

LDAP is a pretty flexible system yet you get vendors coming along hard
coding dependencies in on their own and try to make the directories fit
their apps, this is obviously not correct. Vendors (including Microsoft)
take note, if you are using LDAP for anything, make your attributes/objects
required mappable. Saying someone has to have an attribute with a certain
name or an object with a certain name or class is not flexible and you can
do better. 

LDAP is extensible and people do do things sometimes before Vendors write
code to do the same things. Most Vendors aren't coming up with cool new
things no one else never thought up, they are just polishing, implementing,
and trying to sell the solutions as ready made. I, for instance, may have at
some point put UIDs into an attribute called BobToy. Does it make sense,
maybe not to you, maybe to me it makes all the sense in the world. You
coming in saying I have to use something else means I have to change all of
my stuff, repopulate the fields, possibly schema extend for you, probably do
syncing (or rewriting) for now on because I am probably already using that
attribute - how rude and pretentious of you as a vendor. Ditto for
objectclassing for what objects I want to use for various things. 

Again, LDAP is extensible, AD very easily so. Schemas are easy to modify and
have data populated. As a vendor, don't sit back and think you are the only
one that needs to use certain data and that it wouldn't be there already
unless your app was there. From the start define the data that you need but
don't assume the data isn't there in an attribute already. Actually assume
it is and you just have to use it. Then once you have accomplished that by
making your app flexible in how it gathers data from the directory, define
the schema addons/changes someone may need with a raw schema that they
haven't done any extensions to. As we get further along into using LDAP I
think you will find that methodology fundamentally better for your sales. Is
it harder? Yes. But if it were easy everyone would be doing it already.

Oh to add one final thing, don't assume where in the directory the object is
either Saying groups have to be in one certain OU or container or things
break is just plain silly. You know who you are. 

Oh, one other final thing... MS LDAP Servers have this great ability to not
require the FULL DN of an object for a bind... You can use domain\userid or
[EMAIL PROTECTED] (i.e. [EMAIL PROTECTED]). Use it. This way when someone
moves your bind ID (because they can), your application doesn't go down in
flames with your help desk standing there going, h, we have no idea why
our application can't authenticate Mr. X. Not only use it, but put it in
your documentation... Even if you say something like Well you know, our
own Directory Server is far superior to the MS one, however, if you do use
the MS one, they have this cool feature we can't touch (and frankly don't
need to because we don't have the flexibility required to need this
additional flexibility) that allows you to not hardcode the DN of the bind
ID. Yes, yes, that is pretty cool, so use it if you find yourself on that
directory. 

Oh, and one last last final thing which is one major thing for MS before I
close Document the default schema and the schema mods you make for your
apps completely. Put in dependency information. I have asked for this
multiple times and hear, that would be impossible, do you know all of the
interconnections blah blah blah. Sure... But you guys figure out new items
one at a time. Document them then. In the meanwhile, go clean up as it
doesn't appear you even kjnow what is out there or what it should be. Every
attribute should be documented in terms of what it is used for, what
subsystems use it (dependencies), what the valid range of values are, if you
ever intend to use it and what time frame if so (logoffTime,
operatingSystemHotfix, etc). This would be helpful to your own people let
alone everyone trying to use your product. I have had more than one
bluescreen or stopped replication because of bad data in the directory and
the fun thing is I have no way in the world to know if data is good or not
because I have no clue what is supposed to be valid for the fields. 

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, April 21, 2004 10:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class

This thread has gotten my interest.  We had IBM in here a couple of years
ago talk

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-21 Thread brent.westmoreland 
Hi Mike,

Here is an MS blurb from one of their workshops on the InetOrgPerson Class...

"What Is the InetOrgPerson Object?


Most non-Microsoft LDAP and X.500 directory services such as Novell eDirectory and 
Netscape Directory Server use the InetOrgPerson object class to represent people 
within an organization. To make those applications more compatible with Active 
Directory and permit the migration of InetOrgPerson objects to Active Directory, the 
InetOrgPerson class is added to the Active Directory schema for Windows 2003 Server. 
Microsoft Windows® 2000 did not support the InetOrgPerson account. Windows Server 2003 
includes the InetOrgPerson account, in addition to the standard user account type that 
Windows 2000 supports.

You can use the InetOrgPerson account in Windows Server 2003 in all of the same ways 
as a standard user account. The InetOrgPerson account is a security principal in 
Windows Server 2003, so it can be a member of security groups and can be assigned 
rights and privileges to objects and resources. 

In Windows 2000, Active Directory uses the unicodePwd attribute to store passwords for 
user accounts. Most other LDAP-compliant directories use the userPassword property to 
store passwords for user accounts. In Windows Server 2003, when the domain functional 
level is set to Windows Server 2003, you can use the userPassword attribute to store 
the password for InetOrgPerson accounts. This enables you to use InetOrgPerson 
accounts to provide compatibility with other directory services that your organization 
uses."

 

My specific interest is in authenticating openldap clients against AD.  To my 
understanding, certain clients expecting to see an inetOrgPersonClass may not respond 
well to the user class.  If one is using pam_ldap it is possible to && some specific 
values in /etc/ldap.conf and authenticate a user, in order to do this I prefer to use 
a more standardized person objectClass, and the inetOrgPerson is the best one that ms 
provides.  

Before implementing you may want to read some of the following kb articles:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q307998

http://support.microsoft.com/?id=822591

http://support.microsoft.com/default.aspx?scid=kb;en-us;811656


http://support.microsoft.com/default.aspx?scid=kb;en-us;314649



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 4/21/2004 10:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User to InetOrgPerson Class



This thread has gotten my interest.  We had IBM in here a couple of years ago talking 
about their LDAP and that Active Directory was inferior because of it's implementation 
of the InetOrgUser class instead of InetOrgPerson.  We stopped them when we mentioned 
our intention of going with .NET (was RC2 at the time) and that their implementation 
of InetOrgPerson appeared to be as compliant as anyone else's implementation.

However, I've heard very little about InetOrgPerson since then.  In fact, we had a 
training in-house late last year to train some of our staff and he stated that he's 
never heard of anyone using or wanting to use InetOrgPerson.  I told him that I've 
been recommending that we need to implement AD using InetOrgPerson instead of User.  
My concern is compatibility with other organizations (we will be in acquisition mode 
in a year or so) as well as compatibility with enterprise LDAP directories (we're in 
need of something that will cover multiple platforms).

I would appreciate it if you could comment, offline if you want, as to why you are 
seeking to migrate to InetOrgPerson or whether you chose InetOrgPerson at the outset 
for your implementation.  I'm curious about the degree of adoption.  I'm running in to 
a great deal of resistance regarding InetOrgPerson here and am concerned that we would 
end up looking at a migration very shortly after our migration.

Thanks,
Mike




> I have chased Ms on this for an official KB article without success. I
> have done this in production without any hassles though on exactly the
> same scenario you described: third party kit that like inetorgPerson
> better than the user class.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brent
> Westmoreland
> Sent: 21 April 2004 02:40 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] User to InetOrgPerson Class
>
> Using pure ldap logic, One would assume that is the case.  I guess I
> was hoping someone had stumbled across a kb article so that once this
> is done in production, I have an endorsed Microsoft methodology to take
> to management.
>
>
> On Apr 21, 2004, at 8:12 AM, Ulf B. Simon-Weidner wrote:
>
> > Hello Brent,
> >
> > this is very easy to accomblish: you just need to add the
> inetOrgPerson
> > class to the objectClass

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-21 Thread mikeb 
This thread has gotten my interest.  We had IBM in here a couple of years ago talking 
about their LDAP and that Active Directory was inferior because of it's implementation 
of the InetOrgUser class instead of InetOrgPerson.  We stopped them when we mentioned 
our intention of going with .NET (was RC2 at the time) and that their implementation 
of InetOrgPerson appeared to be as compliant as anyone else's implementation.

However, I've heard very little about InetOrgPerson since then.  In fact, we had a 
training in-house late last year to train some of our staff and he stated that he's 
never heard of anyone using or wanting to use InetOrgPerson.  I told him that I've 
been recommending that we need to implement AD using InetOrgPerson instead of User.  
My concern is compatibility with other organizations (we will be in acquisition mode 
in a year or so) as well as compatibility with enterprise LDAP directories (we're in 
need of something that will cover multiple platforms).

I would appreciate it if you could comment, offline if you want, as to why you are 
seeking to migrate to InetOrgPerson or whether you chose InetOrgPerson at the outset 
for your implementation.  I'm curious about the degree of adoption.  I'm running in to 
a great deal of resistance regarding InetOrgPerson here and am concerned that we would 
end up looking at a migration very shortly after our migration.

Thanks,
Mike




> I have chased Ms on this for an official KB article without success. I
> have done this in production without any hassles though on exactly the
> same scenario you described: third party kit that like inetorgPerson
> better than the user class.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brent
> Westmoreland
> Sent: 21 April 2004 02:40 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] User to InetOrgPerson Class
> 
> Using pure ldap logic, One would assume that is the case.  I guess I 
> was hoping someone had stumbled across a kb article so that once this 
> is done in production, I have an endorsed Microsoft methodology to take 
> to management.
> 
> 
> On Apr 21, 2004, at 8:12 AM, Ulf B. Simon-Weidner wrote:
> 
> > Hello Brent,
> >
> > this is very easy to accomblish: you just need to add the
> inetOrgPerson
> > class to the objectClass attribute of the user using adsiedit or a 
> > script.
> >
> > Ulf
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brent 
> > Westmoreland
> > Sent: Dienstag, 20. April 2004 21:18
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] User to InetOrgPerson Class
> >
> > Does anyone know of a Microsoft endorsed way to change a win2k3 user 
> > object
> > to an InetOrgPerson object without having to export the information
> and
> > reimport it?  There is a potential that some of our clients will need 
> > to
> > interact with active directory from an alternate client.  This change 
> > would
> > be more easily supported if the user were defined as an InetOrgPerson.
> >
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ    : http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ    : http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] User to InetOrgPerson Class

2004-04-21 Thread Brent Westmoreland 
Very well,

I'm off to perl...

Thanks Guys

On Apr 21, 2004, at 9:09 AM, Nicolas Blank wrote:

I have chased Ms on this for an official KB article without success. I
have done this in production without any hassles though on exactly the
same scenario you described: third party kit that like inetorgPerson
better than the user class.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brent
Westmoreland
Sent: 21 April 2004 02:40 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] User to InetOrgPerson Class
Using pure ldap logic, One would assume that is the case.  I guess I
was hoping someone had stumbled across a kb article so that once this
is done in production, I have an endorsed Microsoft methodology to take
to management.
On Apr 21, 2004, at 8:12 AM, Ulf B. Simon-Weidner wrote:

Hello Brent,

this is very easy to accomblish: you just need to add the
inetOrgPerson
class to the objectClass attribute of the user using adsiedit or a
script.
Ulf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brent
Westmoreland
Sent: Dienstag, 20. April 2004 21:18
To: [EMAIL PROTECTED]
Subject: [ActiveDir] User to InetOrgPerson Class
Does anyone know of a Microsoft endorsed way to change a win2k3 user
object
to an InetOrgPerson object without having to export the information
and
reimport it?  There is a potential that some of our clients will need
to
interact with active directory from an alternate client.  This change
would
be more easily supported if the user were defined as an InetOrgPerson.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-21 Thread Nicolas Blank 
I have chased Ms on this for an official KB article without success. I
have done this in production without any hassles though on exactly the
same scenario you described: third party kit that like inetorgPerson
better than the user class.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brent
Westmoreland
Sent: 21 April 2004 02:40 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] User to InetOrgPerson Class

Using pure ldap logic, One would assume that is the case.  I guess I 
was hoping someone had stumbled across a kb article so that once this 
is done in production, I have an endorsed Microsoft methodology to take 
to management.


On Apr 21, 2004, at 8:12 AM, Ulf B. Simon-Weidner wrote:

> Hello Brent,
>
> this is very easy to accomblish: you just need to add the
inetOrgPerson
> class to the objectClass attribute of the user using adsiedit or a 
> script.
>
> Ulf
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brent 
> Westmoreland
> Sent: Dienstag, 20. April 2004 21:18
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] User to InetOrgPerson Class
>
> Does anyone know of a Microsoft endorsed way to change a win2k3 user 
> object
> to an InetOrgPerson object without having to export the information
and
> reimport it?  There is a potential that some of our clients will need 
> to
> interact with active directory from an alternate client.  This change 
> would
> be more easily supported if the user were defined as an InetOrgPerson.
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] User to InetOrgPerson Class

2004-04-21 Thread Brent Westmoreland 
Using pure ldap logic, One would assume that is the case.  I guess I 
was hoping someone had stumbled across a kb article so that once this 
is done in production, I have an endorsed Microsoft methodology to take 
to management.

On Apr 21, 2004, at 8:12 AM, Ulf B. Simon-Weidner wrote:

Hello Brent,

this is very easy to accomblish: you just need to add the inetOrgPerson
class to the objectClass attribute of the user using adsiedit or a 
script.

Ulf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
Westmoreland
Sent: Dienstag, 20. April 2004 21:18
To: [EMAIL PROTECTED]
Subject: [ActiveDir] User to InetOrgPerson Class

Does anyone know of a Microsoft endorsed way to change a win2k3 user 
object
to an InetOrgPerson object without having to export the information and
reimport it?  There is a potential that some of our clients will need 
to
interact with active directory from an alternate client.  This change 
would
be more easily supported if the user were defined as an InetOrgPerson.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User to InetOrgPerson Class

2004-04-21 Thread Ulf B. Simon-Weidner 
Hello Brent,

this is very easy to accomblish: you just need to add the inetOrgPerson
class to the objectClass attribute of the user using adsiedit or a script.

Ulf 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland
Sent: Dienstag, 20. April 2004 21:18
To: [EMAIL PROTECTED]
Subject: [ActiveDir] User to InetOrgPerson Class

Does anyone know of a Microsoft endorsed way to change a win2k3 user object
to an InetOrgPerson object without having to export the information and
reimport it?  There is a potential that some of our clients will need to
interact with active directory from an alternate client.  This change would
be more easily supported if the user were defined as an InetOrgPerson. 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/