Re: Change Naming Attribute (RDN) from CN to UID

Paul, Tomasz and others,
thanks for your replies. You have pretty much nailed the reasons for the
question. I am dealing with a lot of users in a Sun JES Directory server
which uses UID as the naming attribute and enforces uniqueness. We are also
using CN and displayName in the Sun directory to have different name formats
(one is Last, First and the other First Last). There is a mechanism in the
provisioning of the accounts that ensures the UID is generated unique. We
want to use the UID as the samAccountName in order to achieve namespace
alignment between the two directory environments. The complicating factor is
that there are a large number of users (600,000) and a number of AD forests
(11). We are deploying an Instance of ADAM to have an agregated view of the
users in AD - pretty much a mirror of the Sun directory.

Although AD will have a comprehensive OU structure, ADAM will be much
flatter (one OU per AD forest). In the Sun Directory you can use UID as the
naming attribute but can pretty easily use other attributes (cn,
displayName,...). It is up to you when yo create the DN of the object. It
seems like the same flexibility does not exist with AD and ADAM in this
respect. However, I have heard elsewhere that if I use inetorgperson I can
use UID.

I could certainly add the UID into the CN field in AD and ADAM. However, I
want to maintain a more friendly view of common name and keep things
consistent across directories. What I have decided to do is to populate
common name with the CN from elsewhere but to append the UID at the end.
Something like First Last (Flast). This enables CN to be included in general
searches, potentially ANR searches but still have a relatively friendly
format to be seen in the general admin tools and interfaces.

To answer a few comments about ADAM / AD in terms of standards - It is
pretty good really. Each directory implements things their own way and tend
to reflect the roots of this particular directory environment. One "minor"
gripe I have is the use of static auxiliary classes as the norm in AD / ADAM
rather than dynamic auxiliary classes. All the standards and all other
Directory implementations refer to Auxiliary object classes in a way that is
covered by dynamic auxiliary classes in AD. However, because Dynamic classes
was only introduced in Windows 2003 and ADAM, almost all applications that
were written for AD were, out of necessary written to use static auxiliary
classes. From a purest perspective this is relatively poor form, but in the
scheme of things is not a major problem.

As a general rule, AD and ADAM are not as flexible as other directories and
sometimes bend the standards a little. Don't take is is a negative about the
products. I use them every day and they work well. I have also worked pretty
closely with the Sun directory and somewhat with Novells product. The above
statement is more a comment on comparison to the standards and other
directories. Most idiosyncrasies in AD and ADAM can be worked around - its
just a matter of knowing what they are. This is particulary important as you
start to look at how to integrate them.


regards,
Craig Gilmour
"Paul Williams [MVP]" wrote:

Even if assigning the RDN role to uid isn't the answer, I'd like to see if
we can do it and what other options are available. It's funny, I've ever so
briefly started looking at Java Directory Server (SunONE DS) and although
both AD/ ADAM and SunONE are LDAPv3 directories, they are very different.

I'm wondering if there are some barriers in moving to the Windows platform
for LDAP (to ADAM from iPlanet, etc.) due to the way Microsoft have
implemented ADAM. One big gripe from some of my collegues is the lack of
syntaxes defined in the original X500/ LDAP RFCs. I don't know, it seems
easy to work around, but as I've not really worked with anything other than
AD and now ADAM, I can't say.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net




.

Relevant Pages

  • Re: Change Naming Attribute (RDN) from CN to UID
    ... I am dealing with a lot of users in a Sun JES Directory server which uses UID as the naming attribute and enforces uniqueness. ... We are also using CN and displayName in the Sun directory to have different name formats. ... We are deploying an Instance of ADAM to have an agregated view of the users in AD - pretty much a mirror of the Sun directory. ... One "minor" gripe I have is the use of static auxiliary classes as the norm in AD / ADAM rather than dynamic auxiliary classes. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing the RDN attribute in ADAM
    ... > without tearing down and rebuilding my entire ADAM instance? ... Somethingelse to bear in mind is that cn as rdn is used in the dn simple ... That might not be a problem if you are using UPN binds. ... Do you really need to change the rdn rather than just adding an uid as ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Bind attribute question
    ... Because we are migrating from IPlanet to ADAM, ... inquiries from our developers why they can't bind to uid like with Iplanet. ... > just a unicode string, so if you are not using that attribute ...
    (microsoft.public.windows.server.active_directory)
  • Re: preventing a user to start a process
    ... Adam ... The ircd ... >> the UID. ... Does anyone know a usable script for that ...
    (freebsd-isp)