From Authentication Tools for Joomla! (JAuthTools)

Microsoft Active Directory is an "almost" compliant implementation of LDAP complete with quirks and pitfalls that have caught even the most advanced Active Directory administrator. Whilst Microsoft makes integrating look easy with its partners, the truth of the matter is often a lot more complicated. This page documents all sorts of strange quirks with Active Directory that might catch some people.

Contents 1 Usernames 2 Case sensitive 3 DN Syntax 4 Related Links

Usernames

Active Directory doesn't have just one username, it has three potentially different usernames. They are represented in the LDAP view of Active Directory as the following attributes:

• CN - Common Name (this is the name that appears in the listing of users in Active Directory Users and Computers)
• sAMAccountName - This is the pre-2k name, sans the domain part (e.g. DOMAIN\)
• userPrincipalName - The user principal name (UPN) is the post-2k name, and is in the form username@sitename

Of the three, the CN is the one that is used when connecting via LDAP to form the DN of the user. For all intents and purposes the Organisation Unit structures of Active Directory are simply views on users. The sAMAccountName and userPrincipalName attributes must also be unique within the forest (yes, it would appear Microsoft lets you do this even though they say it will break things). The CN, when joined with its DN is the only identifier that retains the Organisational Unit (OU) information. Because of this it only needs to be unique within the container it is in, not the entire forest like the other two user names.

Case sensitive

Active Directory is case sensitive. For everything. Including user names and distinguished names (DN).

DN Syntax

Active Directory Distinguished Names follow this format:

• DC=site,DC=name,DC=com

Where your site name is site.name.com

There are some interesting side effects of the way Active Directory names its container structures. Under the first layer of the AD tree is the "Users" container, which is designated by CN=Users,DC=site,DC=name,DC=com. An organisational unit is designated normally like OU=Name but again remember that this is case sensitive. As a general rule of thumb, any container that an AD site has when it is initialised has the prefix "CN=" to its name. Also speaking the same way, the organisational units that are created by the end user are all "OU=".

Related Links

• Duplicate User Principal Names
• Names for Objects in Active Directory
• Verifying That an Attribute Is Unique in the Forest
• Active Directory LDAP PHP class