Elías Halldór Ágústsson
2006-Apr-28 15:11 UTC
[Fedora-directory-users] FDS to AD sync weirdness ... CN changes, unique constraints.
We are experimenting with Fedora Directory Server and trying to sync it to AD. Setting up SSL for both and initiating sync was successful. However, it seems that DN in AD is constructed from the CN, which is the full name. However, that''s neigh impossible, since DN has a unique constraint, but full names are seldom unique, and particularly not here in Iceland. For example, my organization has at least 10 people called "Kristín Jónsdóttir". I regard AD as broken by design in this regard. My question is, can this be fixed? What would be the right way to approach this problem? -- Elías Halldór Ágústsson | Elias Halldor Agustsson Unix Kerfisstjóri | Unix Systems Administrator Reiknistofnun Háskóla Íslands | University of Iceland Computing Services http://elias.rhi.hi.is/ | +354 525 4903
David Boreham
2006-Apr-28 15:21 UTC
Re: [Fedora-directory-users] FDS to AD sync weirdness ... CN changes, unique constraints.
> I regard AD as broken by design in this regard. My question is, can > this be fixed? What would be the right way to approach this problem?Yes it''s broken by design. As far as I know the way to work around it is to assign unique CN''s (e.g. include middle initials, something like that).
George Holbert
2006-Apr-28 18:32 UTC
Re: [Fedora-directory-users] FDS to AD sync weirdness ... CN changes, unique constraints.
Elias, I agree with you that AD is wrong on this. I believe that CN is a multivalued attribute (at least in FDS). So, if it''s any help, you could have unique CNs that are used in the entries'' DNs, and optionally have additional CNs that may not be unique. e.g., dn: cn=Kristín Jónsdóttir_00,ou=people,dc=example,dc=edu cn: Kristín Jónsdóttir_00 cn: Kristín Jónsdóttir telephoneNumber: 123-456-7890 ... The "_00" unique suffix is just an example, you could use whatever you like of course. Elías Halldór Ágústsson wrote:> We are experimenting with Fedora Directory Server and trying to sync > it to AD. > > Setting up SSL for both and initiating sync was successful. > > However, it seems that DN in AD is constructed from the CN, which is > the full name. However, that''s neigh impossible, since DN has a unique > constraint, but full names are seldom unique, and particularly not > here in Iceland. For example, my organization has at least 10 people > called "Kristín Jónsdóttir". > > I regard AD as broken by design in this regard. My question is, can > this be fixed? What would be the right way to approach this problem? >
Elías Halldór Ágústsson
2006-May-03 15:02 UTC
Re: [Fedora-directory-users] FDS to AD sync weirdness ... CN changes, unique constraints.
> I believe that CN is a multivalued attribute (at least in FDS). So, if > it''s any help, you could have unique CNs that are used in the entries'' > DNs, and optionally have additional CNs that may not be unique.That works well in FDS, but not in AD and entryDNs with multivalued CNs won''t sync over. -- Elías Halldór Ágústsson | Elias Halldor Agustsson Unix Kerfisstjóri | Unix Systems Administrator Reiknistofnun Háskóla Íslands | University of Iceland Computing Services http://elias.rhi.hi.is/ | +354 525 4903