The CN is basically just to have the username *used during login*. Our usernames (account names) are unique, but our uid isn't. That's because the uid represents a person, while usernames represent the accounts they have.
This all goes back to portal pains and being able to login *with a username*, while abstracting the username from other systems using SSO. That way, when a user needs to change their username, it really won't matter to the other systems because they're keying off the uid. Or, if they go from being a perspective student (with a @wherever.com email address) to a enrolled student (with a university email address) or an employee -- nothing for them changes in the portal. I'm thinking we're going to have users select their "primary" account and flag that account in ldap so the credentials resolver would use something like this... (&(acctStatus=primary)(uid=123456789)) to make it resolve to the user's primary account. We developed all this with a commercial portal in mind, and quite a ways into the process we decided their product wasn't a good fit for us, so that's the other reason this methodology may seem different... David On Fri, Nov 18, 2011 at 8:30 AM, Marvin Addison <[email protected]>wrote: > > can I filter/query based on something like: > > > > (&(cn=dhicks)(uid=123456789)) > > The only thing you'd have to perform the query is the resolved > principal ID, which would be the uid in your case. I'm having trouble > imagining a directory where uid isn't globally unique for a particular > branch. We have a DIT much like yours based on the little you've > shared and a query like uid=12345 would produce a single result in our > directory. Can you explain why you'd need the CN (which is presumably > the username provided in the login form) in the query above? > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
