UCS bug around Active Directory

Update:
UCS 2.1 addresses this particular issue.  Bug ID: CSCth96721

Summary:
Found an interesting UCS bug on 2.0(3b).  May be resolved in 2.0(4d), but have not tested yet.  This particular problem only manifests itself if your Active Directory tree structure is elaborate and causes a user account's distinguishedName to be longer than 128 characters.

Detailed:
Essentially UCS queries Active Directory w/ samAccountFilter, it receives the results of the query.  It then makes a bind call against the DN using the results it received.  The problem is the DN bind call variable on the UCS side seems to be limited to 128 characters which it then truncates the information when it makes the bind call.

Workaround:
The only real workaround is to move the affected account to another a higher level OU to shorten it's distinguished name.

Powershell:
You can use powershell to determine the length of your distinguished name by utilizing the Quest ActiveRoles PS snapin.
(Get-QADUser UserName).DN.Length

4 comments:

Chris Wahl said...

There's a warning when entering in the bind DN that you are limited to 127 characters.

Chris Nakagaki said...

For the account used to query AD, but not accounts that are part of the defined LDAP group maps. There is no warning or error.

marcus oh said...

if nothing else, they could stop using the DN and simply use the sam id since they're already familiar with it from the query. the chance of a long character issue in samaccountname is nullified by its character limitation set at 20.

Chris Nakagaki said...

Doesn't help with the LDAP query. Still need to pass the entire path. Complex AD structures would still suffer. No longer an issue in this case though.