grouper-users - Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD
Subject: Grouper Users - Open Discussion List
List archive
- From: "RL 'Bob' Morgan" <>
- To: Tom Zeller <>
- Cc: "Mailvaganam, Hari" <>, "" <>
- Subject: Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD
- Date: Thu, 10 Mar 2011 10:24:19 -0800 (PST)
At UW we put group names into sAMAccountName of our campus-wide AD, hence had to create a group name space that is non-conflicting with our general username space, and also conforms to restrictions in sAMAccountName syntax. This led us to these designs:
https://wiki.cac.washington.edu/display/infra/UW+NetID+Namespace
which carves out subspaces of the greater NetID namespace for various purposes including groups.
https://wiki.cac.washington.edu/display/groups/UW+Group+Naming+Plan
Note that among other things sAMAccountNames can't have ":" in them. So we are obliged to work around the hard-coding of ":" as group-id
delimiter in Grouper by translating it to "_" in every external view, including our Groups Service UI.
See here for user documentation:
http://www.washington.edu/itconnect/security/uwgroups.html
- RL "Bob"
On Thu, 10 Mar 2011, Tom Zeller wrote:
At Memphis, we make sure that our Active Directory RDNs are unique,
whether they be users, groups, contacts, etc., and these RDNs are
provisioned to sAMAccountName. Whenever a new person, group, or
contact is created, we check our namespace for uniqueness.
Silly, but, you might get away with adding a prefix to sAMAccountName
for groups.
On Wed, Mar 9, 2011 at 5:59 PM, Mailvaganam, Hari
<>
wrote:
Hi:
We are looking at pushing groups from Grouper, via LDAPPCNG, to Active
Directory (AD).
In example scenario below, for group and person, there will be a clash in
sAMAccountName – would you have any suggestions on policies, or rules, to
avoid similar conflict?
GROUP
Distinguished Name (DN):
CN=science,OU=Groups,OU=IT,OU=example,OU=Clients,DC=example,DC=edu
sAMAccountName: science
PERSON
Distinguished Name (DN):
CN=science,OU=People,OU=IT,OU=example,OU=Clients,DC=example,DC=edu
sAMAccountName: science
Thanks.
Best regards,
Hari
- Re: [grouper-users] Error using CAS Authentication with Grouper, (continued)
- Re: [grouper-users] Error using CAS Authentication with Grouper, Eileen Roach, 03/10/2011
- Re: [grouper-users] Error using CAS Authentication with Grouper, Eileen Roach, 03/11/2011
- RE: [grouper-users] Error using CAS Authentication with Grouper, Chris Hyzer, 03/11/2011
- Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD, Peter Schober, 03/10/2011
- Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD, Peter Schober, 03/10/2011
- Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD, Tom Zeller, 03/10/2011
- Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD, Peter Schober, 03/10/2011
- Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD, Tom Zeller, 03/10/2011
- Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD, Peter Schober, 03/10/2011
- Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD, Tom Zeller, 03/10/2011
- Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD, Peter Schober, 03/10/2011
- Re: [grouper-users] Query on Naming Conflicts - Grouper, ldappcng, AD, RL 'Bob' Morgan, 03/10/2011
Archive powered by MHonArc 2.6.16.