Return
-
Title
Avoid conflicts across domains when performing username searches -
Description
Avoid conflicts across domains when performing username searches
If the same username exists in multiple domains, then this can cause issues during a name search without the domain specified. -
Resolution
Use the alt-auth-realms option in vas.conf to specify a resolution order when the domain is not entered as part of the search.From the man page:----------------------------------------------------alt-auth-realms = <DOMAIN>[,<DOMAIN>]...Default value: none
The alt-auth-realms option provides a way for an administrator to specify a resolution order for conflicts encountered during username searches against active directory.
For example, suppose you have 3 domains in your forest.These domains are corp.example.com, sub.example.com, and example.com.Suppose you have a different 3 bobs in your organization.Each of these bobs has exactly one account, and it just so happens that none of them are in the same domain.If you were using samAccountName as your login attribute, it is likely that all of these users could log in by specifying their username as bob.There is, however, an important question as to which of the bobs is logging in when the username bob is specified.Each bob could log in using the syntax of bob@domain to eliminate doubt, but which bob is logging in if the domain suffix is not included?
Default SAS Unix login behavior will first prefer any bob that exists in the domain to which the computer is joined.After this the order in which conflicts are resolved is arbitrary.To ensure a specific domain conflict resolution order, you should specify the preferred order using the alt-auth-realms option.
[vasd]alt-auth-realms = example.com,sub.example.com,corp.example.com----------------------------------------------------