|Applies To||RSA ClearTrust 5.0.1 Authorization Server (AServer)|
Microsoft Windows 2000 Server SP3
Microsoft Active Directory
Customer does want to use either SamAccountName or UserPrincipalName
Customer uses Active Directory for all user administration, and they don't use NT authentication
|Issue||How to use CN to authenticate users with Active Directory Datastore|
|Cause||The above are Microsoft Active Directory limitations for SamAccountName and UserPrincipalName|
|Resolution||CN can be used between ClearTrust server and Active Directory mapping. This can be done by changing the parameter in ldap.conf:|
cleartrust.data.ldap.user.attributemap.name: CN. (by default, this parameter is set as sAMAcountName)
Contact RSA Security Customer Support to request RSA ClearTrust hot fix 126.96.36.199, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). This hot fix suggests to use UserPrincipalName for the above parameter. This will overcome the restriction imposed by sAMAcountName as the max length of 20 characters. However, by using UserPrincipalName, the authentication would need to use a FQDN.
Using CN as the authentication name works well, except that when you create a user in Entitlement manager, the user cannot be managed in Active Directory (does not show up in the Active Directory at all). Also, the NT authentication uses different user attributes (UserPrincipalName or sAMAcountName) rather then CN.
NOTE: If using CN with Active Directory, users should be administered using the Microsoft MMC management tools and not the ClearTrust Admin GUI.
|Workaround||The sAMAcountName is only 20 characters long and the UserPrincipalName requires the FQDN - an additional @xxxxx.com (or net, etc.) to work properly|
|Legacy Article ID||a18114|