Servers - General
cancel
Showing results for 
Search instead for 
Did you mean: 

Console Switch Active Directory problems

 
Andreas Peetz
Occasional Advisor

Console Switch Active Directory problems

Hi all,

we finally managed to integrate the console switch into our active directory, but discovered a really annoying limitation:
It looks like the LDAP software cannot handle queries that contain commas and slashes (, and /). If we try to authenticate with an account that has these special characters in its name, authentication will fail. If we remove the special characters from the account name it works like expected.

Is there any workaround for this issue? Whom should I contact to have this obvious bug fixed?

Thanks and best regards,
Andreas
9 REPLIES 9
Alex King
Advisor

Re: Console Switch Active Directory problems

Dear Andreas,

You will have limitations and it is not considered a bug. The names of security principal objects can contain all Unicode characters except the special LDAP characters defined in RFC 2253. This list of special characters includes: a leading space; a trailing space; and any of the following characters: # , + " \ < > ;

This link can be used as a starting place for further information:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/232d2aab-b33b-4bf7-9c8c-bb659bf6a35b.mspx

Thanks.


Alex King
Advisor

Re: Console Switch Active Directory problems

Here's another link that might be of interest:

http://support.microsoft.com/?kbid=228275
Andreas Peetz
Occasional Advisor

Re: Console Switch Active Directory problems

Hello Alex,

thank you for your answer.

Let me elaborate on our situation.
The user accounts (several 10.000) in our AD all have commas and slashes in their "distinguished name" (the cn-attribute), but not in the account name (the sAMaccountname-attribute). At least in Europe it is very common to have a string like "Surname, Forename..." as cn-attribute, so I don't think that this is a very unusual situation.

It is FALSE that the cn-attribute must not contain special characters. It is TRUE that special characters in attributes must be masked (e.g. with a preceding backslash). Please see RFC2254 for details.

If an application queries the AD for a cn-name via LDAP that contains special characters it will receive an answer that is correctly masked.
The problem now is that the application does not correctly interpret the masking characters or just ignores or removes them before it re-uses the answer for later queries. If it correctly preserved the masking subsequent LDAP queries would not fail.

So, this is indeed a bug in the console switch software.

Let me repeat my original question: I want to address that issue to the developers. I do not insist on having it fixed. I just want to be helpful and increase the chance that this bug will be fixed in a future update of the software, so that it might be of use for us some day.

Whom should I contact to achieve this?

Thank you and best regards
Andreas
Alex King
Advisor

Re: Console Switch Active Directory problems

Andreas,

Thank you so much for the additional information in your last email. I have forwarded this info to the developer. We will confirm this issue and hope to have a bug fix in the next release or future product. If we need additional information regarding this issue can we contact you through this forum?

Regards,

Alex
Andreas Peetz
Occasional Advisor

Re: Console Switch Active Directory problems

Alex,

yes, please contact me through the forum or write e-mail to
andreas.peetz(at)sanofi-aventis.com

Thank you for your help
Andreas
Mary_68
Occasional Visitor

Re: Console Switch Active Directory problems

Can i ask how you managed to get LDAP integration to work? we have read, understand and followed Appendix A of the software guide, customizing of course the parameters and such to our organization and still it will not work. It is fine in basic mode but once we switch to group attribute it bombs.
Alex King
Advisor

Re: Console Switch Active Directory problems

Mary,

We suggest that you follow Appendix A exactly and change one parameter at a time until it fits your organization. If you have already done this, please list every difference that you have made from the tutorial.

Regards,
Alex
Mary_68
Occasional Visitor

Re: Console Switch Active Directory problems

Let me first thank you for responding, Alex, I really appreciate it.
Ok so here's my confusion...
If I'm understanding your instructions correctly, in order for directory integration to function properly, we would need to reorganize our structure to accommodate the appliance? I thought that the appliance could be configured to work with our existing environment. We are not set up as easily as the example is. For example because we have nested OU's my search dn string reads similar to this:
cn=kvmquery,ou=My Accounts,ou=MyAgency,dc=agency,dc=com. And the OU container isn't named KVMLDAP and not located directly under the root.

So, does the OU container that holds the groups and switches need to be directly off of the root to function?

And as in the example, does the DC have to be directly connected to the switch?

Once again I appreciate your input.
Alex King
Advisor

Re: Console Switch Active Directory problems

You do not have to match the directory to the appliance. The idea was for you to understand all the concepts in the turorial before applying to your directory structure. If you would like to provide full details of the differences in your structure we can try and help or provide your email address so that we can get enough details to be of help.

Thanks,
Alex