Eric - we basically did what you suggest...our CN, name, and sAMAccountName attributes are the same. WebSphere users can use their "LAN ID and password". Since WebSphere also grabs the group membership info for the user when they log in, it can map this to the 'roles' in the J2EE application, so we get some authorization based on AD groups as well.
We have very centrally-controlled account creation on all major systems, as Al suggested, which makes this fairly easy to swallow. As you pointed out, you can add columns in the GUI for last/first, but I find that I never look for users by scrolling through the list anyhow - it's either do a search, or use automation, so it really doesnt matter that the 'name' column shows the non-friendly fixed identifier we use as a login ID. Exchange 2000/Outlook use the display name in the GAL, so that's not a problem either. We actually did this in the first place because it eliminates the possibility of a name collision within a single container, regardless of how many of our users are placed there. The other benefits were a side-effect. Since you asked the question, I'm curious too - how many large enterprises (more that several thousand users at least) use the 'default' firstname lastname construction for their CN ? Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 10:43 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory and Other LDAP Integration All, we are in search of the elusive single sign-on... We are designing/testing pieces of what may become a multi-platform authentication strategy. We've begun with the authentication integration with IBM's Websphere. While we've been successful in its integration (having Websphere on a Linux box authenticate to AD); we have a dilemma with how the DN is created...specifically the CN. The CN appears to default to be the same as the 'Display Name'. With this being the case, a user logging into Websphere's Portal would need to login with what would appear to them as yet another ID using their 'First' and 'Last' names. And that's assuming that our naming standards are intact and haven't had to account for identical names. A way around this appears to have the users logon name and 'Name' [CN] fields be identical. We would then add the "Display Name" column to ADUC and other such AD management tools for our sanity of management. Enforcing/ensuring this setting would not be difficult for us as we use Aelita Enterprise Directory Manager, so we would just create a validation/enforcement rule as well as ensure automatic policy validation. My questions are: Has anyone else run into this problem? Is this really a problem or just what I'm simply supposed to do. Are there other problems that might arise from this change in procedure? What kind of success have people had in having other platforms and LDAP'able' applications authenticate to AD? TIA, Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
