Another day, another attribute

Rod Widdowson rdw at
Wed Nov 21 10:03:15 EST 2012

> Don't really want to use a depreciated method.

I hear you, but in the space in which you are working it is very common.
Although I cannot predict the future, I would say that it is unlikely that
the deprecated status of this connector will cause you too much pain going
forward (precisely because of the number of people using this).

> I can set this up but is this the way to go ?

Unless you are in the edugate federation I would say not.    In general you
should look at the documentation as the primary source and
then the documentation for your federation as you secondary source.

In your case
seems apposite.  Note in particular that it recommends using computed ID
connector.  Also note the need to release the old, hideous, and nasty on the
wire format for eptid.  

> Where is the commonname ? in my Microsoft AD entry I have a cn, is that
what I should use ?

I wouldn't use that.  You need to use a seed which is guaranteed against
reuse.  objectSid is a really good candidate (but note that it is binary).

Finally I suggest that you look at
ory/ShibConfig/conf-tmlp/  This is the overall configuration which is fed
into the Windows quick installer, which is specifically targeted against
active directory.


More information about the users mailing list