I guess in theory that would work, although I'm not sure of the ramifications of having discrepancies between the UPN Left Hand Side and the cn.
I'd have concerns about the effect that would have in an Exchange envrionment, especially in an Ex5.5 envrionment running the ADC. FWIW, we're in a similar boat. We have AS/400's, Unix and Windows machines in a predominantly AD envrionment. Tack on a large handfull of enterprise applications that maintain their own sign on information, and you're in authorization hell. We have tossed around the idea of doing some form of RSO (reduced sign on), but its not a reality at this point, without spending more money or effort than we have. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 16, 2003 3:54 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] LDAP > > > Roger, > > Wouldn't it be possible to make the CN of the user object a > 10 character > name and the sAMAccountName and/or UPN the longer form? That way the > LDAP-based app can authenticate using the user DN (which is > what it will do > if it does an LDAP simple bind), and the users can login > using the longer > name form. No SSO product needed. The only downside is that I > don't think > you can do this using the MMC to add users, you'd have to use > a script or > some such. > > -gil > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 16, 2003 1:18 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] LDAP > > > You asked this a week ago - the answer hasn't really changed. > > Either change the user names in AD to be 10 or less > characters, or open up > the checkbook and buy an SSO product that will handle it for you. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, January 16, 2003 1:04 PM > > To: '[EMAIL PROTECTED]'; > [EMAIL PROTECTED] > > Subject: [ActiveDir] LDAP > > > > > > I apologize if this is received twice. > > Scenario: > > AS400 system with username restriction of 10 characters. > Considering > > installing a "card" with W2k AD installed. Specifically we will be > > running Windows 2K server on an Integrated xSeries server. This will > > allow us to > > enroll existing AS400 users & groups on a W2k server. This > > allows us one > > point for administration of both AS400 and W2k set of users. > > We currently have a domain controller, or W2k w/AD > > installation. We did not > > restrict the usernames to 10 characters on this system. Other > > systems that > > will be authenticating their usernames against it are also > > not limited to > > 10 characters. Our goal is single sign on. We would like to > > have the users > > on the AS400/W2K system to authenticate or replicate to our > > current W2k AD > > installation. The problem is the limitation of usernames. My > > question is, > > is there anyway around having to change all the usernames > on the other > > systems to match the 10 character limitation? Can I have the > > usernames on > > the AS400 W2K installation link to the current W2k server? I > > thought with > > LDAP you could have numerous names linked to one. If so, how > > can I do this? > > Your help is greatly appreciated. > > ************************************* > > Sincerely, > > Stacey Davis > > Wan Technician > > Network Services Department > > Anderson News Company > > Phone (865) 584-9765 ext. 1566 > > Email [EMAIL PROTECTED] > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
