releasing AD group names
IAM David Bantz
dabantz at alaska.edu
Sat Apr 9 00:12:03 UTC 2022
On 08Apr2022 at 14:29:21, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
> Is this a common requirement?
>
>
> It's not safe, those names aren't unique. Consider two groups called
> CN=admin but with different OUs. Obvious problem there in the event if a
> mistake in configuration somewhere.
>
I made exactly that argument to the application admin, and provided a
similar example. The claim back is that AD enforces global uniqueness on
the CN of groups. An attempt to create just such a competing group with
same CN in a different OU was denied with a message that the name already
existed (i.e., in another OU). “AD is not, strictly, and LDAP directory.” A
little surprising to me, and I wouldn’t want to stake my app’s security on
AD always enforcing that uniqueness, but the current behavior of AD seems
to insulate users against just this unsound practice. I’ll pull the CN’s
only from the OU dedicated to that app in any case.
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220408/59081ab4/attachment.htm>
More information about the users
mailing list