MSAD Quirks
From Authentication Tools for Joomla! (JAuthTools)
(New page: Microsoft Active Directory is an "almost" compliant implementation of LDAP complete with quirks and pitfalls that have caught even the most advanced Active Directory administrator. Whilst ...)
Newer edit →
Revision as of 14:04, 26 December 2007
Microsoft Active Directory is an "almost" compliant implementation of LDAP complete with quirks and pitfalls that have caught even the most advanced Active Directory administrator. Whilst Microsoft makes integrating look easy with its partners, the truth of the matter is often a lot more complicated. This page documents all sorts of strange quirks with Active Directory that might catch some people.
Contents |
Usernames
Active Directory doesn't have just one username, it has three potentially different usernames. They are represented in the LDAP view of Active Directory as the following attributes:
- CN - Common Name (this is the name that appears in the listing of users in Active Directory Users and Computers)
- sAMAccountName - This is the pre-2k name, sans the domain part (e.g. DOMAIN\)
- userPrincipalName - The user principal name (UPN) is the post-2k name, and is in the form username@sitename
Of the three, the CN is the one that is used when connecting via LDAP to form the DN of the user. For all intensive purposes the Organisation Unit structures of Active Directory are simply views on users. The sAMAccountName and userPrincipalName attributes must also be unique within the forest (yes, it would appear Microsoft lets you do this even though they say it will break things). The CN, when joined with its DN is the only identifier that retains the Organisational Unit information.
Case sensitive
Active Directory is case sensitive. For everything. Including user names and distinguished names (DN).
DN Syntax
Active Directory Distinguished Names follow this format:
- DC=site,DC=name,DC=com
Where your site name is site.name.com
