I with you on discouraging using DN as a binding user name for AD. However,
this is very common practice in other directories and DN is the only
attribute that the LDAP spec defines as needing to be supported for simple
bind. A lot of apps that support multiple directories will insist you do it
this way.
That isn't to say that this will apply to the app the OP is using, but I
thought this was worth sharing. :)
Joe K.
----- Original Message -----
From: Al Mulnick
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 06, 2006 8:53 PM
Subject: Re: [ActiveDir] Speaking of SamAccountName...
Just to throw in $0.02 (USD):
DN would be a bad idea with Active Directory outside of the information it
gives away. Active Directory is desinged to allow for the movement and
changing of accounts. Using the DN would break that as far as the user is
concerned. Since you can have multiple UPN's and at least one samaccount
name, you should choose between them. One thought might help: if your cn and
samaccountname match, it's easier to choose. If your upn lhs matches the cn
which matches the samaccountname, then it might be even easier to prevent
identity crises.
FWIW.
And hey, that's good information to have Joe. cheers :)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx