Digressing further from the original topic... * joe <j...@joeware.net> [2012-03-07 01:29]: > Probably not. The user ids usually aren't stored in the root of the > ldap directory and there is no telling what they used for the RDN of > the user object. Most companies, unfortunately, don't use username > as the RDN value, they are usually using a display name of some sort > (yes I know, stupid but is influenced by the default MSFT > provisioning tools and Exchange).
In comparison with a person's real name using username (login name, NetID, whatever) as most specific RDN certainly is certainly preferrable. But I thought above moving away from using even the username for contruction of the RDN and instead create some semantically void, persistent, opaque identifier (think type 4 UUID or something like that, unknown to the user, so that's not something anyone would ever type into a login form for authN). I would hope to make object renames completely unnecessary (since usernames might still change -- by fiat -- how much we may try to avoid that) and also not give the username away when it's not needed, since it's currently always visible in the DN itself (or entryDN opattr). Is anyone doing that? Is it worth the effort? -peter
