Hi,
We are currently using 389-DS as a LDAP server for our university (University Politehnica from Bucharest). Right now we have about 35000 accounts created into the 389-DS. We need to synchronize all the accounts with an Active Directory server for various purposes (Wifi authentication/e-mail authentication, etc). I've setup the 389-DS / Active Directory replication succesfully but we have a design problem: a very high number of users has the username (uid: field) larger than 20 characters and I can't pass this uid to the ntUserDomainId (which is equivelant with the sAMAccount in AD). Is there any way that I can populate the userPrincipalName with this uid? (which does not have the limit indicated above)
Thank you in advance, Mihai
On 07/22/2014 04:05 AM, Mihai Carabas wrote:
Hi,
We are currently using 389-DS as a LDAP server for our university (University Politehnica from Bucharest). Right now we have about 35000 accounts created into the 389-DS. We need to synchronize all the accounts with an Active Directory server for various purposes (Wifi authentication/e-mail authentication, etc). I've setup the 389-DS / Active Directory replication succesfully but we have a design problem: a very high number of users has the username (uid: field) larger than 20 characters and I can't pass this uid to the ntUserDomainId (which is equivelant with the sAMAccount in AD). Is there any way that I can populate the userPrincipalName with this uid? (which does not have the limit indicated above)
Is the problem that the 389 uid attribute has values greater than 20 characters, and when windows sync adds these users to AD, it tries to write the uid value into the samAccountName field, and this is rejected because the samAccountName field does not allow more than 20 characters? So you want to instead write the uid attribute value to the userPrincipalName field? I think we would still need to write some value to samAccountName - what value should we use?
Thank you in advance, Mihai -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On Tue, Jul 22, 2014 at 4:43 PM, Rich Megginson rmeggins@redhat.com wrote:
On 07/22/2014 04:05 AM, Mihai Carabas wrote:
Hi,
We are currently using 389-DS as a LDAP server for our university (University Politehnica from Bucharest). Right now we have about 35000 accounts created into the 389-DS. We need to synchronize all the accounts with an Active Directory server for various purposes (Wifi authentication/e-mail authentication, etc). I've setup the 389-DS / Active Directory replication succesfully but we have a design problem: a very high number of users has the username (uid: field) larger than 20 characters and I can't pass this uid to the ntUserDomainId (which is equivelant with the sAMAccount in AD). Is there any way that I can populate the userPrincipalName with this uid? (which does not have the limit indicated above)
Is the problem that the 389 uid attribute has values greater than 20 characters, and when windows sync adds these users to AD, it tries to write the uid value into the samAccountName field, and this is rejected because the samAccountName field does not allow more than 20 characters? So you
Yes this is my main problem. If you have other suggestions/solutions they are welcome (we can't modify the usernames because these usernames are already used and stored by various applications in their own databases and we would create a chaos).
want to instead write the uid attribute value to the userPrincipalName field? I think we would still need to write some value to samAccountName - what value should we use?
I can generate a unique value for each of them, based on some other INFO (like personal number, date of birth).
Thanks, Mihai
On 07/22/2014 07:56 AM, Mihai Carabas wrote:
On Tue, Jul 22, 2014 at 4:43 PM, Rich Megginson rmeggins@redhat.com wrote:
On 07/22/2014 04:05 AM, Mihai Carabas wrote:
Hi,
We are currently using 389-DS as a LDAP server for our university (University Politehnica from Bucharest). Right now we have about 35000 accounts created into the 389-DS. We need to synchronize all the accounts with an Active Directory server for various purposes (Wifi authentication/e-mail authentication, etc). I've setup the 389-DS / Active Directory replication succesfully but we have a design problem: a very high number of users has the username (uid: field) larger than 20 characters and I can't pass this uid to the ntUserDomainId (which is equivelant with the sAMAccount in AD). Is there any way that I can populate the userPrincipalName with this uid? (which does not have the limit indicated above)
Is the problem that the 389 uid attribute has values greater than 20 characters, and when windows sync adds these users to AD, it tries to write the uid value into the samAccountName field, and this is rejected because the samAccountName field does not allow more than 20 characters? So you
Yes this is my main problem. If you have other suggestions/solutions they are welcome (we can't modify the usernames because these usernames are already used and stored by various applications in their own databases and we would create a chaos).
I don't think it is possible to solve this problem currently. Please file a ticket at https://fedorahosted.org/389/newticket
want to instead write the uid attribute value to the userPrincipalName field? I think we would still need to write some value to samAccountName - what value should we use?
I can generate a unique value for each of them, based on some other INFO (like personal number, date of birth).
Thanks, Mihai -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
I don't think it is possible to solve this problem currently. Please file a ticket at https://fedorahosted.org/389/newticket
I opened a ticket [1]
Thanks, Mihai
389-users@lists.fedoraproject.org
-
Mihai Carabas -
Rich Megginson