releasing AD group names

Morgan, Andrew J morgan at oregonstate.edu
Sat Apr 9 01:26:41 UTC 2022 

I think your application admin is confusing the CN attribute with the samAccountName (pre-Windows 2000) attribute.

The CN value, when used as the RDN, is only unique within a given OU.  The samAccountName attribute must be unique within a single domain and the userPrincipalName (UPN) must be unique in the forest.

When you create a new Group and type a name in the "Group name", aka CN, field, it copies the text to the "Group name (pre-Windows 2000)", aka samAccountName, field as well.  You can't duplicate the samAccountName, so you must edit that field, but you don't have to change the "Group name" field if the new group is in a different OU.

Since they don't know any better, it's good that you are only mapping from the app's OU!

Andy


________________________________
From: users <users-bounces at shibboleth.net> on behalf of IAM David Bantz via users <users at shibboleth.net>
Sent: Friday, April 8, 2022 5:12 PM
To: Cantor, Scott <cantor.2 at osu.edu>
Cc: IAM David Bantz <dabantz at alaska.edu>; Shib Users <users at shibboleth.net>
Subject: Re: releasing AD group names


[This email originated from outside of OSU. Use caution with links and attachments.]


On 08Apr2022 at 14:29:21, "Cantor, Scott" <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
Is this a common requirement?

It's not safe, those names aren't unique. Consider two groups called CN=admin but with different OUs. Obvious problem there in the event if a mistake in configuration somewhere.

I made exactly that argument to the application admin, and provided a similar example. The claim back is that AD enforces global uniqueness on the CN of groups. An attempt to create just such a competing group with same CN in a different OU was denied with a message that the name already existed (i.e., in another OU). “AD is not, strictly, and LDAP directory.” A little surprising to me, and I wouldn’t want to stake my app’s security on AD always enforcing that uniqueness, but the current behavior of AD seems to insulate users against just this unsound practice. I’ll pull the CN’s only from the OU dedicated to that app in any case.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220409/69a06202/attachment.htm>

More information about the users mailing list