Grouper Users - Open Discussion List

["Bryan E. Wooten" <>]

Thanks Mike,

 

I am using bushy. Doesn’t seem to make any difference.

 

As a quick work around I decide to set sAMAccountName to group descripton since I can control it in the UI.

 

But now I get a new Error: DSID-03050C42

 

“This occured because the "cn" attribute did not match the first part of the "distinguishedName" attribute. If we change this to:”

 

http://clintboessen.blogspot.com/2011/06/0x2081-multiple-values-were-specified.html

 

Thanks,

 

Bryan

From: Michael R. Gettes [mailto:]
Sent: Monday, March 11, 2013 2:53 PM
To: Bryan E. Wooten
Cc:
Subject: Re: [grouper-users] AD groups and sAMAccountname, colons

 

keep in mind you have 64 character limit in most component names of a DN in AD.  Thank you Microsoft and thank you PKI folks for coming up with arbitrary not-so-well-thought-out limitations.  We break down each : separated name into an OU and the leaf becomes a CN.   I am told there is some config statement regarding "bushy" that makes all this happen.

 

i hope this helps.

 

/mrg

 

On Mar 11, 2013, at 4:41 PM, "Bryan E. Wooten" <>

 wrote:

When provisioning AD groups from the PSP the default example shows sAMAccountName being set to the CN.  When the PSP provisions a group it seems to create 2 CNs. One like FolderID:GroupID and another that is just GroupID.

 

Well AD doesn’t allow colons in sAMAccountName. I found this discussion:

 

https://lists.internet2.edu/sympa/arc/grouper-dev/2012-07/msg00027.html

 

This comment caught my eye:

 

“ At Duke, we work around the colon issue and maintain uniqueness by converting the colons into hyphens and not allowing hyphens in group/folder names in Grouper.”

 

Is this something I can configure or do I have to dig into the source code to make the fix?

 

-Bryan