groupOfNames inconsistancy with openLDAP and Active Directory

General Discussion about LDAP Administrator

Moderator: Support

groupOfNames inconsistancy with openLDAP and Active Directory

Postby 1911drb » Sun Mar 16, 2008 2:16 pm

I'm fairly new to LDAP. I have downloaded OpenLdap and
created a ldif file that works fine. My problem is that I cannot
load the ldif file when using Active Directory because the
"groupOfNames" object. I would like to design the schema to
work with both, but I'm starting to wonder if it is possible?

Below is the segment that works with OpenLDAP. With Active Directory
I get the error:
Failed to add new entry cn=TrendFailureAccess, ....
LDAP: error code 16 - 0000005: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece )

# Quality Perissions for TPW Application
dn: cn=Trend FailureAccess,ou=functionality,ou=TPW,dc=webspun,dc=net
objectclass: top
objectclass: groupOfNames
cn: Trend Failure Access
member: uid=dbritton
member: uid=jbertoia
member: uid=webspun

Can anyone comment on using the "groupOfNames" object with AD? Is it possible? Is the syntax of the ldif file different?

Thanks in advance for any help
Posts: 1
Joined: Sat Mar 15, 2008 10:38 pm

groupOfNames inconsistancy with openLDAP and Active Directory

Postby Alex » Thu Mar 20, 2008 8:51 pm

I don't think I've ever seen that attribute.
What happens if you just use "group"?

Does Active Directory even use groupOfNames?
Posts: 1
Joined: Thu Mar 20, 2008 8:46 pm

Postby Support » Thu Mar 27, 2008 12:31 pm

I guess the problem is that you use RDN instead of DNs.
e.g. uid=dbritton instead of something like uid=dbritton,ou=users,dc=webspun,dc=net

Active Directory unlike some other servers always check referential integrity for the member attribute.
Posts: 896
Joined: Sun Aug 12, 2001 12:00 am

Postby enewman » Wed May 21, 2008 4:25 pm

Active Directory does not use groupOfNames unless you have loaded the SFU schema. The other issue is that AD uses DN format for membership whereas groupofNames uses account uid (i.e. short login name).

One of the challenges of UNIX integration with LDAP and AD is this difference - shortname vs distinguished name.
Posts: 2
Joined: Mon Mar 27, 2006 12:33 pm

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 2 guests