+ Reply to Thread
Results 1 to 2 of 2

Thread: LDAP Groups samaccountname vs displayname

  1. 07-07-2008 08:57 PM #1
    mikebogo
    mikebogo is offline Junior Community Member mikebogo is on a distinguished road
    Join Date
    Nov 2007
    Posts
    74

    Default LDAP Groups samaccountname vs displayname

    I'm currently using AD on a corporate network with 8.05.2 on windows, and I've tried the suggestions in the other two related posts with no luck so far.

    When using the 'groupquery' setting: (&(samAccountName=$1)(objectCategory=group)), I can add groups by their samAccountName without a problem (and usually that's the same as their cn, displayname, and name). However, a fair amount of the time the samAccountName is different from the displayname/name, and as a result, I have to go into ADSI edit to figure out what it is, which I would do if that also didn't mean that users would then have to know the samAccountName to assign permissions as well.

    So I tried using:
    (&(cn=$1)(objectCategory=group))
    (&(name=$1)(objectCategory=group))
    (&(displayname=$1)(objectCategory=group))
    and removing the setting altogether, and mainly the same issues occurred, as follows:

    if the samaccountname was the same as the name being added, everything worked perfect. If the two differed, the following error occurred:
    Group '#SE - AMERICAS' not found in the external authentication provider

    Additionally, giving bunk group names gave the following error:
    Group '#SE - AMERADFAD' not found

    So it's hitting it somehow and then getting a different error? MaxM, do you have the link to the source for the service? It may be helpful if I can understand it a bit better.
    Reply With Quote Reply With Quote
  2. 07-08-2008 07:26 PM #2
    MaxM
    MaxM is offline MindTouch Team MaxM is an unknown quantity at this point
    Send a message via AIM to MaxM Send a message via Skype™ to MaxM
    Join Date
    Oct 2006
    Location
    San Diego (PB!)
    Posts
    787

    Default

    Hey Mike,

    I added links to the source from the spec page http://wiki.developer.mindtouch.com/...Authentication

    The group name looked up by the ldap service has to be the same name as the record's attribute pointed to by groupnameattribute.

    groupnameattribute:
    LDAP attribute for retrieving a group name. Provide an attribute to always use rather then trying a series of common attributes. Default: attempts to use sAMAccountName -> uid -> name -> cn.
    Deki uses this to verify that the queried name is the same as the record found by the auth service. Set groupnameattribute to the same attribute as whats used in the groupquery setting and you should be ok as it will either find or not find records but the returning name will be consistent.
    Reply With Quote Reply With Quote
+ Reply to Thread
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules