RE: [ActiveDir] LDAP

daviss Fri, 17 Jan 2003 12:46:47 -0800

This is what I am trying to accomplish. We were just looking for a way to
avoid changing usernames on the live system to match the AS400 limitations.
This will cause confusion for the end users. We were hoping to "link" the
usernames supplied by the AS400 and the existing usernames in W2k in some
way so no matter which name they used to log in, they were authenticated,
and able to change their password.
But I don't see anyway to link these usernames/accounts. We will probably
do as you've done by changing the names on one system or the other so they
are the same on both ends.
Thank you for the reply.


*************************************
Sincerely,
Stacey Davis



                                                                           
             "Craig Cerino"                                                
             <Craig_Cerino@Tie                                             
             l.com>                                                     To 
             Sent by:                  <[EMAIL PROTECTED]>      
             ActiveDir-owner@M                                          cc 
             AIL.ACTIVEDIR.ORG                                             
                                                                   Subject 
                                       RE: [ActiveDir] LDAP                
             01/17/2003 08:14                                              
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
             [EMAIL PROTECTED]                                             
                tivedir.org                                                
                                                                           
                                                                           




Here's my 2 cents:
We too are in a similar environment
5 AS 400s ( 830 - 820 & 3 270s)

My solution was not totally what you want to do - but it accomplishes
the end result.

1. All user id's (on both ends) follow the same naming convention Joe
Simpson=jsimpson)
2. Then password security is identical on both ends (at least one non
alpha numeric character and one numeric and how ever many alpha's to be
at least 8 characters in length)
3. Passwords are on the same renew clock on the IBM and NT end)


Again, not exactly what you want to do --- but the end result is the
same ( I think) and I've had no issues for over a year.


Craig

-----Original Message-----
From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 17, 2003 7:52 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] LDAP

I guess in theory that would work, although I'm not sure of the
ramifications of having discrepancies between the UPN Left Hand Side and
the
cn.

I'd have concerns about the effect that would have in an Exchange
envrionment, especially in an Ex5.5 envrionment running the ADC.

FWIW, we're in a similar boat. We have AS/400's, Unix and Windows
machines
in a predominantly AD envrionment. Tack on a large handfull of
enterprise
applications that maintain their own sign on information, and you're in
authorization hell. We have tossed around the idea of doing some form of
RSO
(reduced sign on), but its not a reality at this point, without spending
more money or effort than we have.


------------------------------------------------------
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


> -----Original Message-----
> From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 16, 2003 3:54 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] LDAP
>
>
> Roger,
>
> Wouldn't it be possible to make the CN of the user object a
> 10 character
> name and the sAMAccountName and/or UPN the longer form? That way the
> LDAP-based app can authenticate using the user DN (which is
> what it will do
> if it does an LDAP simple bind), and the users can login
> using the longer
> name form. No SSO product needed. The only downside is that I
> don't think
> you can do this using the MMC to add users, you'd have to use
> a script or
> some such.
>
> -gil
>
> -----Original Message-----
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 16, 2003 1:18 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] LDAP
>
>
> You asked this a week ago - the answer hasn't really changed.
>
> Either change the user names in AD to be 10 or less
> characters, or open up
> the checkbook and buy an SSO product that will handle it for you.
>
> ------------------------------------------------------
> Roger D. Seielstad - MCSE
> Sr. Systems Administrator
> Inovis - Formerly Harbinger and Extricity
> Atlanta, GA
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, January 16, 2003 1:04 PM
> > To: '[EMAIL PROTECTED]';
> [EMAIL PROTECTED]
> > Subject: [ActiveDir] LDAP
> >
> >
> > I apologize if this is received twice.
> > Scenario:
> > AS400 system with username restriction of 10 characters.
> Considering
> > installing a "card" with W2k AD installed. Specifically we will be
> > running Windows 2K server on an Integrated xSeries server. This will
> > allow us to
> > enroll existing AS400 users & groups on a W2k server. This
> > allows us one
> > point for administration of both AS400 and W2k set of users.
> > We currently have a domain controller, or W2k w/AD
> > installation. We did not
> > restrict the usernames to 10 characters on this system. Other
> > systems that
> > will be authenticating their usernames against it are also
> > not limited to
> > 10 characters. Our goal is single sign on. We would like to
> > have the users
> > on the AS400/W2K system to authenticate or replicate to our
> > current W2k AD
> > installation. The problem is the limitation of usernames. My
> > question is,
> > is there anyway around having to change all the usernames
> on the other
> > systems to match the 10 character limitation? Can I have the
> > usernames on
> > the AS400 W2K installation link to the current W2k server? I
> > thought with
> > LDAP you could have numerous names linked to one. If so, how
> > can I do this?
> > Your help is greatly appreciated.
> > *************************************
> > Sincerely,
> > Stacey Davis
> > Wan Technician
> > Network Services Department
> > Anderson News Company
> > Phone (865) 584-9765 ext. 1566
> > Email [EMAIL PROTECTED]
> >
> >
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ    : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> >
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
> List info   :
> http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP

Reply via email to