Re: ADAM ID resolution without full DN

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Sep 2008 21:41:00 -0500

I don't know what exactly is going on, but in ADAM the DN, displayName and
userPrincipalName can be used as the user name in an LDAP bind. Note that
displayName and userPrincipalName are not set by default and are not
guaranteed unique by the directory, so your provisioning process would need
to ensure that in order to use either attribute.

As long as the account has a password and is enabled, displayName is set and
is unique, bind with displayName as username should work fine.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Steve Thiakos" <Steve Thiakos@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:58B2252F-0D79-4D49-853F-21B46030D178@xxxxxxxxxxxxxxxx

Question: How can I bind a user without a full DN?

Observation:
I have two users created in an application partition (set password over
unsecure connection enabled)

DN: CN=user1,DC=mydomain
changeType: add
objectClass: user
userPassword: easy
displayName: user1

DN: CN=user2,DC=mydomain
changeType: add
objectClass: user
userPassword: easy
displayName: user2

Using LDP I can bind with either by specifying the full DN and
userPassword.

The weird part: If I go into ADAM-ADSIEdit and Reset Password for user2,
I
can then bind in LDP using user2 without a full DN (cannot do so with
user1)

What magic is Reset Password doing and what do I need to add into my ldf
file to make it happen so that I don't have to specify the full DN?

Thanks in advance,

Steve

Follow-Ups:
- Re: ADAM ID resolution without full DN
  - From: Steve Thiakos

References:
- ADAM ID resolution without full DN
  - From: Steve Thiakos

Prev by Date: Re: Directory Design Best Practice
Next by Date: Active Directory and SQL Membership Provider Based Authentication and DMZ
Previous by thread: ADAM ID resolution without full DN
Next by thread: Re: ADAM ID resolution without full DN
Index(es):
- Date
- Thread

Relevant Pages

Re: ADAM authentication failure.
... DN and UPN is good practice, as long as steps are taken to ensure UPN is not ... The objectGUID, displayName, SPN and such options were a total revelation to ... If you have user1 whose displayName is Dmitri, ... userPrincipalName is Dmitri, then if you do simple bind as Dmitri, then ...
(microsoft.public.windows.server.active_directory)
Re: Scripting to change AD attribute
... I'm trying to write a script to change the displayname attribute by ... ADO is read only and cannot be used to modify attributes in AD. ... You must bind to the objects. ... I agree that binding to each object slows the script and offsets the ...
(microsoft.public.scripting.wsh)
Re: Scripting to change AD attribute
... I'm trying to write a script to change the displayname attribute by ... ADO is read only and cannot be used to modify attributes in AD. ... You must bind to the objects. ... Dim adoCommand, adoConnection, strBase, strFilter, strAttributes ...
(microsoft.public.scripting.wsh)
Re: ADAM ID resolution without full DN
... "Joe Kaplan" wrote: ... userPrincipalName can be used as the user name in an LDAP bind. ... displayName and userPrincipalName are not set by default and are not ... If I go into ADAM-ADSIEdit and Reset Password for user2, ...
(microsoft.public.windows.server.active_directory)
Re: ADAM authentication failure.
... If you have user1 whose displayName is Dmitri, ... userPrincipalName is Dmitri, then if you do simple bind as Dmitri, then ... If you have two users whose displayName is Dmitri, then you won't be able to ... UPN too matches any string (but only in ADAM). ...
(microsoft.public.windows.server.active_directory)