On Thu, 12 Oct 2006 18:36:24 -0400
"joe" <[EMAIL PROTECTED]> wrote:
> The userPrincipalName uniqueness is based on the ENTIRE UPN, not just the
> first component. Unless you are POSITIVE that the UPNs will be unique up to
> the realm then you may want to find something else for your key. In ADAM
> you can use single name without realm UPNs and ADAM will enforce that
> uniqueness for you. But that is ADAM, not AD.
The entries would be under a domain container and therefore they are
unique. The organisation might look like the following:
DC=example,DC=com
CN=Supplemental,DC=example,DC=com
FOO=Managers,CN=Supplemental,DC=example,DC=com
objectClass=group
objectSid=<binarysid>
[EMAIL PROTECTED]
where FOO is some attribute that means "The name component of the UPN". Is
there such an attribute? Is 'uid' guaranteed to be the name component
a user's UPN?
For now I'm using sAMAccountName
(e.g. sAMAccountName=Managers,CN=Supplemental,DC=example,DC=com) but this
is not optimal since sAMAccountName may not match the name component of
the UPN and it is yearning to be deprecated.
> If you want to look up the real DNs, you can obviously do so with the full
> UPN. Just do a GC query of [EMAIL PROTECTED]
The whole point is to provide a cache of group sids so any querying
would defeat the purpose.
Mike
PS: Any confusion over this post is no doubt attributed to the fact that
I'm not actually using a real LDAP store for anything described here. I
have written an LDAP C API wrapper that can operate on data structures
in memory. Meaning I have written a very simple LDAP server.
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
