Is there any reason to use cn vs. uid for a user login. I would like people to be able to use uid=... as their binddn, and Leave cn as the users full name. I''m just not sure how this works, or why for that matter. 1. The ldap browser tool that i am using displays a tree view of my ldap entries. In the tree, it displays the cn for each user (which in my opinion should be the full name). 2. When a linux user logs in, ldap binds as the user logging in with ''cn=userid,ou=...''. Im not sure how it knows to use cn rather then uid, and i don''t see anywhere to specify that. So, my usernames are all stored in as cn. 3. Thunderbird''s addressbook displays the cn as the persons full name. In my case, that means that you see everyones username instead of there real name. It does not respect the displayname attribute like outlook does. There is a workaround in ''user.js'' but that would be a real pain to set that up on everyones computer. I believe my solution would be to have each users dn use uid rather then cn. Is this the correct approach? Is this possible?
Erg. I thought I had it but it''s something is blocking me from doing
this update. Can anyone help me find where my constraint is?
[root@rhds ~]# ldapmodify -x -W -D cn=DirectoryManager
dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com
changetype: modify
replace: dn
dn: uid=testy,ou=users,ou=people,dc=mydomain,dc=com
modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com"
ldapmodify: Object class violation (65)
additional info: attribute "dn" not allowed
[root@rhds ~]# ldapmodify -x -W -D cn=DirectoryManager
dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com
changetype: modify
newRDN: uid=testy
deleteOldRDN: 1
modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com"
ldapmodify: Object class violation (65)
additional info: attribute "newRdn" not allowed
________________________________
From: Dumbo Q <dumboq@yahoo.com>
To: fedora-directory-users@redhat.com
Sent: Monday, June 22, 2009 2:00:11 PM
Subject: [389-users] using uid rather then cn in the binddn
Is there any reason to use cn vs. uid for a user login. I would like people to
be able to use uid=... as their binddn, and Leave cn as the users full name.
I''m just not sure how this works, or why for that matter.
1. The ldap browser tool that i am using displays a tree view of my ldap
entries. In the tree, it displays the cn for each user (which in my opinion
should be the full name).
2. When a linux user logs in, ldap binds as the user logging in with
''cn=userid,ou=...''. Im not sure how it knows to use cn rather
then uid, and i don''t see anywhere to specify that. So, my usernames
are all stored in as cn.
3. Thunderbird''s addressbook displays the cn as the persons full name.
In my case, that means that you see everyones username instead of there real
name. It does not respect the displayname attribute like outlook does. There
is a workaround in ''user.js'' but that would be a real pain to
set that up on everyones computer.
I believe my solution would be to have each users dn use uid rather then cn. Is
this the correct approach? Is this possible?
Nathan Kinder
2009-Jun-22 20:30 UTC
Re: [389-users] using uid rather then cn in the binddn
Dumbo Q wrote:> Erg. I thought I had it but it''s something is blocking me from > doing this update. Can anyone help me find where my constraint is? ><snip>> > [root@rhds ~]# ldapmodify -x -W -D cn=DirectoryManager > dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com > changetype: modify > newRDN: uid=testy > deleteOldRDN: 1 > > modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com" > ldapmodify: Object class violation (65) > additional info: attribute "newRdn" not allowedYou need to perform a "modrdn" operation instead of a regular modify. Try the above, but change your "changetype" to "modrdn". You may also find that you don''t want to delete the old RDN from the entry, particularly if that is the only "cn" value present in your entry. Doing so would cause an objectclass violation since "cn" is likely required for the objectclass you are using.> > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Nathan Kinder
2009-Jun-22 20:46 UTC
Re: [389-users] using uid rather then cn in the binddn
Dumbo Q wrote:> Thanks. I tried that, but now it tells me > ldapmodify: Object class violation (65) > additional info: missing attribute "cn" required by object > class "inetOrgPerson" > > Being that the entry has a ''cn'', I guess this means that somewhere I > have it setup where dn requires the cn to be in it ??? AnythoughtsAre you still specifying "deleteOldRDN: 1"? As I mentioned, you shouldn''t be doing that as it will delete the old RDN value from the entry, which is your "cn". Since "cn" is required by the "inetOrgPerson" objectclass, this is an objectclass violation. Try specifying "deleteOldRDN: 0".> > > > ------------------------------------------------------------------------ > *From:* Nathan Kinder <nkinder@redhat.com> > *To:* General discussion list for the 389 Directory server project. > <fedora-directory-users@redhat.com> > *Sent:* Monday, June 22, 2009 4:30:53 PM > *Subject:* Re: [389-users] using uid rather then cn in the binddn > > Dumbo Q wrote: > > Erg. I thought I had it but it''s something is blocking me from > doing this update. Can anyone help me find where my constraint is? > > > <snip> > > > > [root@rhds ~]# ldapmodify -x -W -D cn=DirectoryManager > > dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com > > changetype: modify > > newRDN: uid=testy > > deleteOldRDN: 1 > > > > modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com" > > ldapmodify: Object class violation (65) > > additional info: attribute "newRdn" not allowed > You need to perform a "modrdn" operation instead of a regular modify. > Try the above, but change your "changetype" to "modrdn". You may also > find that you don''t want to delete the old RDN from the entry, > particularly if that is the only "cn" value present in your entry. > Doing so would cause an objectclass violation since "cn" is likely > required for the objectclass you are using. > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users@redhat.com <mailto:389-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users@redhat.com <mailto:389-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Thanks. I tried that, but now it tells me
ldapmodify: Object class violation (65)
additional info: missing attribute "cn" required by object
class "inetOrgPerson"
Being that the entry has a ''cn'', I guess this means that
somewhere I have it setup where dn requires the cn to be in it ??? Anythoughts
________________________________
From: Nathan Kinder <nkinder@redhat.com>
To: General discussion list for the 389 Directory server project.
<fedora-directory-users@redhat.com>
Sent: Monday, June 22, 2009 4:30:53 PM
Subject: Re: [389-users] using uid rather then cn in the binddn
Dumbo Q wrote:> Erg. I thought I had it but it''s something is blocking me from
doing this update. Can anyone help me find where my constraint is?
>
<snip>>
> [root@rhds ~]# ldapmodify -x -W -D cn=DirectoryManager
> dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com
> changetype: modify
> newRDN: uid=testy
> deleteOldRDN: 1
>
> modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com"
> ldapmodify: Object class violation (65)
> additional info: attribute "newRdn" not allowed
You need to perform a "modrdn" operation instead of a regular modify.
Try the above, but change your "changetype" to "modrdn".
You may also find that you don''t want to delete the old RDN from the
entry, particularly if that is the only "cn" value present in your
entry. Doing so would cause an objectclass violation since "cn" is
likely required for the objectclass you are using.>
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Dumbo Q
2009-Jun-22 21:07 UTC
(Solved) Re: [389-users] using uid rather then cn in the binddn
Im sorry, i missed that part. using modrdn with deleteOldRDN: 0 worked perfectly. Thanks ________________________________ From: Nathan Kinder <nkinder@redhat.com> To: General discussion list for the 389 Directory server project. <fedora-directory-users@redhat.com> Sent: Monday, June 22, 2009 4:46:44 PM Subject: Re: [389-users] using uid rather then cn in the binddn Dumbo Q wrote:> Thanks. I tried that, but now it tells me > ldapmodify: Object class violation (65) > additional info: missing attribute "cn" required by object class "inetOrgPerson" > > Being that the entry has a ''cn'', I guess this means that somewhere I have it setup where dn requires the cn to be in it ??? AnythoughtsAre you still specifying "deleteOldRDN: 1"? As I mentioned, you shouldn''t be doing that as it will delete the old RDN value from the entry, which is your "cn". Since "cn" is required by the "inetOrgPerson" objectclass, this is an objectclass violation. Try specifying "deleteOldRDN: 0".> > > > ------------------------------------------------------------------------ > *From:* Nathan Kinder <nkinder@redhat.com> > *To:* General discussion list for the 389 Directory server project. <fedora-directory-users@redhat.com> > *Sent:* Monday, June 22, 2009 4:30:53 PM > *Subject:* Re: [389-users] using uid rather then cn in the binddn > > Dumbo Q wrote: > > Erg. I thought I had it but it''s something is blocking me from doing this update. Can anyone help me find where my constraint is? > > > <snip> > > > > [root@rhds ~]# ldapmodify -x -W -D cn=DirectoryManager > > dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com > > changetype: modify > > newRDN: uid=testy > > deleteOldRDN: 1 > > > > modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com" > > ldapmodify: Object class violation (65) > > additional info: attribute "newRdn" not allowed > You need to perform a "modrdn" operation instead of a regular modify. Try the above, but change your "changetype" to "modrdn". You may also find that you don''t want to delete the old RDN from the entry, particularly if that is the only "cn" value present in your entry. Doing so would cause an objectclass violation since "cn" is likely required for the objectclass you are using. > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users@redhat.com <mailto:389-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > 389 users mailing list > 389-users@redhat.com <mailto:389-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users