Re: Change Naming Attribute (RDN) from CN to UID

The dynamic aux classes are there, but you are correct and not a lot of folks are using them yet. But honestly, in most deployments I have worked with, people didn't even really use static aux, instead they were modifying the root classes which isn't something I like a lot.

On the bending the standards, ultimately MSFT was trying to maintain legacy capability so that you didn't have the Apple migration method of "start over". This causes quite a few concessions.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Craig Gilmour wrote:
Paul, Tomasz and others,
thanks for your replies. You have pretty much nailed the reasons for the question. I am dealing with a lot of users in a Sun JES Directory server which uses UID as the naming attribute and enforces uniqueness. We are also using CN and displayName in the Sun directory to have different name formats (one is Last, First and the other First Last). There is a mechanism in the provisioning of the accounts that ensures the UID is generated unique. We want to use the UID as the samAccountName in order to achieve namespace alignment between the two directory environments. The complicating factor is that there are a large number of users (600,000) and a number of AD forests (11). We are deploying an Instance of ADAM to have an agregated view of the users in AD - pretty much a mirror of the Sun directory.

Although AD will have a comprehensive OU structure, ADAM will be much flatter (one OU per AD forest). In the Sun Directory you can use UID as the naming attribute but can pretty easily use other attributes (cn, displayName,...). It is up to you when yo create the DN of the object. It seems like the same flexibility does not exist with AD and ADAM in this respect. However, I have heard elsewhere that if I use inetorgperson I can use UID.

I could certainly add the UID into the CN field in AD and ADAM. However, I want to maintain a more friendly view of common name and keep things consistent across directories. What I have decided to do is to populate common name with the CN from elsewhere but to append the UID at the end. Something like First Last (Flast). This enables CN to be included in general searches, potentially ANR searches but still have a relatively friendly format to be seen in the general admin tools and interfaces.

To answer a few comments about ADAM / AD in terms of standards - It is pretty good really. Each directory implements things their own way and tend to reflect the roots of this particular directory environment. One "minor" gripe I have is the use of static auxiliary classes as the norm in AD / ADAM rather than dynamic auxiliary classes. All the standards and all other Directory implementations refer to Auxiliary object classes in a way that is covered by dynamic auxiliary classes in AD. However, because Dynamic classes was only introduced in Windows 2003 and ADAM, almost all applications that were written for AD were, out of necessary written to use static auxiliary classes. From a purest perspective this is relatively poor form, but in the scheme of things is not a major problem.

As a general rule, AD and ADAM are not as flexible as other directories and sometimes bend the standards a little. Don't take is is a negative about the products. I use them every day and they work well. I have also worked pretty closely with the Sun directory and somewhat with Novells product. The above statement is more a comment on comparison to the standards and other directories. Most idiosyncrasies in AD and ADAM can be worked around - its just a matter of knowing what they are. This is particulary important as you start to look at how to integrate them.


regards,
Craig Gilmour
"Paul Williams [MVP]" wrote:

Even if assigning the RDN role to uid isn't the answer, I'd like to see if we can do it and what other options are available. It's funny, I've ever so briefly started looking at Java Directory Server (SunONE DS) and although both AD/ ADAM and SunONE are LDAPv3 directories, they are very different.

I'm wondering if there are some barriers in moving to the Windows platform for LDAP (to ADAM from iPlanet, etc.) due to the way Microsoft have implemented ADAM. One big gripe from some of my collegues is the lack of syntaxes defined in the original X500/ LDAP RFCs. I don't know, it seems easy to work around, but as I've not really worked with anything other than AD and now ADAM, I can't say.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net




.

Relevant Pages

  • Re: Change Naming Attribute (RDN) from CN to UID
    ... provisioning of the accounts that ensures the UID is generated unique. ... We are deploying an Instance of ADAM to have an agregated view of the ... users in AD - pretty much a mirror of the Sun directory. ... gripe I have is the use of static auxiliary classes as the norm in AD / ADAM ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing the RDN attribute in ADAM
    ... > without tearing down and rebuilding my entire ADAM instance? ... Somethingelse to bear in mind is that cn as rdn is used in the dn simple ... That might not be a problem if you are using UPN binds. ... Do you really need to change the rdn rather than just adding an uid as ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Bind attribute question
    ... Because we are migrating from IPlanet to ADAM, ... inquiries from our developers why they can't bind to uid like with Iplanet. ... > just a unicode string, so if you are not using that attribute ...
    (microsoft.public.windows.server.active_directory)
  • Re: preventing a user to start a process
    ... Adam ... The ircd ... >> the UID. ... Does anyone know a usable script for that ...
    (freebsd-isp)