MSAD Quirks
From Authentication Tools for Joomla! (JAuthTools)
Microsoft Active Directory is an "almost" compliant implementation of LDAP complete with quirks and pitfalls that have caught even the most advanced Active Directory administrator. Whilst Microsoft makes integrating look easy with its partners, the truth of the matter is often a lot more complicated. This page documents all sorts of strange quirks with Active Directory that might catch some people.
Contents |
Usernames
Active Directory doesn't have just one username, it has three potentially different usernames. They are represented in the LDAP view of Active Directory as the following attributes:
- CN - Common Name (this is the name that appears in the listing of users in Active Directory Users and Computers)
- sAMAccountName - This is the pre-2k name, sans the domain part (e.g. DOMAIN\)
- userPrincipalName - The user principal name (UPN) is the post-2k name, and is in the form username@sitename
Of the three, the CN is the one that is used when connecting via LDAP to form the DN of the user. For all intents and purposes the Organisation Unit structures of Active Directory are simply views on users. The sAMAccountName and userPrincipalName attributes must also be unique within the forest (yes, it would appear Microsoft lets you do this even though they say it will break things). The CN, when joined with its DN is the only identifier that retains the Organisational Unit (OU) information. Because of this it only needs to be unique within the container it is in, not the entire forest like the other two user names.
Case sensitive
Active Directory is case sensitive. For everything. Including user names and distinguished names (DN).
DN Syntax
Active Directory Distinguished Names follow this format:
- DC=site,DC=name,DC=com
Where your site name is site.name.com
There are some interesting side effects of the way Active Directory names its container structures. Under the first layer of the AD tree is the "Users" container, which is designated by CN=Users,DC=site,DC=name,DC=com. An organisational unit is designated normally like OU=Name but again remember that this is case sensitive. As a general rule of thumb, any container that an AD site has when it is initialised has the prefix "CN=" to its name. Also speaking the same way, the organisational units that are created by the end user are all "OU=".
Groups and OU's
Active Directory doesn't appear to permit applying permissions to OU's which makes them purely a cosmetic construct as opposed to other systems that permits associating permissions against them, such as for Novell eDirectory. Active Directory features two types of groups, distribution groups which appear to be mailing lists and security groups which appear to be capable of being used for security administration and permission purposes.
So Active Directory's solution is that you can nest groups, though there are complications. Nested groups are only available with AD running in Windows 2000 native mode or better and by default Windows Server 2003 or lower installs with mixed mode by default. Windows Server 2008 now asks what forest and domain functional level you want by default which is a nice touch. They've removed mixed mode so 2000 is the minimal level anyway. So if it looks like you can't nest groups, check that your domain is running in at least 2000 native mode by right clicking on your site and clicking "Change Mode" (Windows 2000) or "Raise Domain Functional Level" (Windows 2003).
