I have 2 users in my AD installation with the same CN
CN=jack,CN=Users,DC=xyz,DC=com and
CN=jack,OU=abc,DC=xyz,DC=com
When I try to authenticate to the AD Server using the Apache Directory Studio client and give the following credentials
User: jack
Password: <password>
the authentication fails. The following credentials work
User: CN=jack,CN=Users,DC=xyz,DC=com
Passwprd: <password>
When I have only a single user CN=tom,DC=xyz,DC=com with a given CN
I am able to login with
User: tom
Password: <password>
without having to specify the entire DN (CN=tom,DC=xyz,DC=com) .
I need to write a module to authenticate users against an AD installation. I have with me only the usernames and passwords and not the fully qualified BASE DNs. How do I do this as the problem it seems happens when there are more than one user with the same CN ?
EDIT: Can I configure the AD server to bind against mail address of the users instead of CN ? This would solve my problem as mail addresses are unique while CN's are not
I'm not sure what to say, mostly because its hard to see exactly what you're asking.
If your organisation creates 'duplicate' user names in different contexts/OUs, which is certainly allowable in AD, then any code you write will have to support working with usernames under different contexts.
Whether or not that's a good idea or "correct" is a question for your organisation to decide internally.
The sAMAccountName of a user should be unique within a given domain, so you should be able to get the client to query AD based on the sAMAccountName and then use the full X.400 name you get back for authentication.
If you have more than one domain, then you need domain + userID (sAMAccountName) to authenticate anyway.
You're trying to use the relative distinguished name (RDN), not the CN. The relative distinguished name is unique within the OU (it's relative path) but may not be unique within the domain. You should be using the distinguished name (DN), which is unambiguous and unique within the domain.
http://technet.microsoft.com/en-us/library/cc977992.aspx
I found the attribute I was looking for -->
userPrincipalName(UPN) . This has a unique value in Active Directory and can be supplied as the user name while attempting to authenticate. So now I need a list of UPNs and the corresponding passwords for login.http://technet.microsoft.com/en-us/library/cc739093%28WS.10%29.aspx
In user Object of Active Directory, the samaccountname(logon name) and UPN (User Principal name) for logon into Active Directory domain.
And This Properties of user object must be unique in Active Directory
as your question...
you create two user object as above. the above syntax is DN's.
you will check the samaccountname(logon name) or UPN for that users. I mean the above users have diffent samaccountnames and UPNs. after checking the real samaccountname or UPN for those users, and try to logon.
P.S. Also, DN has the unique feature.