• Type: Bug
• Resolution: Unresolved
• Priority: Low (View bug fix roadmap)
• Fix Version/s: None
• Affects Version/s: 4.3
• Component/s: User Management - LDAP Integration
• Labels:

  • affects-server
  • ldap

[JRASERVER-26164] JIRA uses the CN attribute for Active Directory LDAP, but this is not guaranteed unique.

Collapse comment: Mark Lassau (Inactive) added a comment - 07/Nov/2011 8:50 AM

Mark Lassau (Inactive) added a comment - 07/Nov/2011 8:50 AM

Note that the customer that originally raised the Support Request that this issue arises from was not happy with the idea of using sAMAccountName as group name either.
They think this is different to the "normal" name that users are used to.

They want to have a non-unique "Display Name" for groups based on CN, with a description field or similar to then distinguish between these non-unique names.
Unfortunately, this idea becomes a bit sticky when you amalgamate multiple directories that define the same group name.

Expand comment: Mark Lassau (Inactive) added a comment - 07/Nov/2011 8:50 AM

Mark Lassau (Inactive) added a comment - 07/Nov/2011 8:50 AM Note that the customer that originally raised the Support Request that this issue arises from was not happy with the idea of using sAMAccountName as group name either. They think this is different to the "normal" name that users are used to. They want to have a non-unique "Display Name" for groups based on CN, with a description field or similar to then distinguish between these non-unique names. Unfortunately, this idea becomes a bit sticky when you amalgamate multiple directories that define the same group name.

Collapse comment: Mark Lassau (Inactive) added a comment - 07/Nov/2011 1:41 AM

Mark Lassau (Inactive) added a comment - 07/Nov/2011 1:41 AM

Merging memberships of the two groups does not seem like a solution - this would lead to privilege escalation.
And it would be worsened for anyone using nested groups.

It seems the best solution is to move to using a unique attribute for group name.
User name uses sAMAccountName and so group name probably should as well.

An admin can currently edit the group name attribute under Group Schema Settings.
According to a comment on CWD-2431 this may currently be broken for write operations.

Tracked in Crowd at CWD-2441 "Use sAMAccountName attribute for group name by default when using Active Directory"

Expand comment: Mark Lassau (Inactive) added a comment - 07/Nov/2011 1:41 AM

Mark Lassau (Inactive) added a comment - 07/Nov/2011 1:41 AM Merging memberships of the two groups does not seem like a solution - this would lead to privilege escalation. And it would be worsened for anyone using nested groups. It seems the best solution is to move to using a unique attribute for group name. User name uses sAMAccountName and so group name probably should as well. An admin can currently edit the group name attribute under Group Schema Settings . According to a comment on CWD-2431 this may currently be broken for write operations. Tracked in Crowd at CWD-2441 "Use sAMAccountName attribute for group name by default when using Active Directory"