Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] AD groups and sAMAccountname, colons

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] AD groups and sAMAccountname, colons


Chronological Thread 
  • From: Sebastien Gagne <>
  • To: "Bryan E. Wooten" <>
  • Cc: "Michael R. Gettes" <>, "" <>
  • Subject: Re: [grouper-users] AD groups and sAMAccountname, colons
  • Date: Mon, 11 Mar 2013 19:01:05 -0400
  • Authentication-results: sfpop-ironport04.merit.edu; dkim=pass (signature verified)
Another suggestion : if sAMAccountName isn't required, you can leave it empty and let Active Directory auto-generate one (it'll be random characters)

Here we used the group extension with a hook to ensure uniqueness accross Grouper and the other AD objects.

---
Sébastien Gagné, M.Ing., ing. jr
Analyste en informatique - Université de Montréal


On Mon, Mar 11, 2013 at 5:34 PM, Bryan E. Wooten <> wrote:

Thanks Mike,

 

I am using bushy. Doesn’t seem to make any difference.

 

As a quick work around I decide to set sAMAccountName to group descripton since I can control it in the UI.

 

But now I get a new Error: DSID-03050C42

 

This occured because the "cn" attribute did not match the first part of the "distinguishedName" attribute. If we change this to:”

 

http://clintboessen.blogspot.com/2011/06/0x2081-multiple-values-were-specified.html

 

Thanks,

 

Bryan

From: Michael R. Gettes [mailto:]
Sent: Monday, March 11, 2013 2:53 PM
To: Bryan E. Wooten
Cc:
Subject: Re: [grouper-users] AD groups and sAMAccountname, colons

 

keep in mind you have 64 character limit in most component names of a DN in AD.  Thank you Microsoft and thank you PKI folks for coming up with arbitrary not-so-well-thought-out limitations.  We break down each : separated name into an OU and the leaf becomes a CN.   I am told there is some config statement regarding "bushy" that makes all this happen.

 

i hope this helps.

 

/mrg

 

On Mar 11, 2013, at 4:41 PM, "Bryan E. Wooten" <>

 wrote:



When provisioning AD groups from the PSP the default example shows sAMAccountName being set to the CN.  When the PSP provisions a group it seems to create 2 CNs. One like FolderID:GroupID and another that is just GroupID.

 

Well AD doesn’t allow colons in sAMAccountName. I found this discussion:

 

 

This comment caught my eye:

 

 At Duke, we work around the colon issue and maintain uniqueness by converting the colons into hyphens and not allowing hyphens in group/folder names in Grouper.”

 

Is this something I can configure or do I have to dig into the source code to make the fix?

 

-Bryan

 

 

 



Archive powered by MHonArc 2.6.16.

Top of Page