Skip to main content
Released

FME Server Active Directory: Away from Distinguished Name (DN)

Related products:FME Form
maddiel
danilo_fme
  • maddiel
    maddiel
  • danilo_fme
    danilo_fme

todd_davis
Influencer

FME Server uses Distinguished Name (DN) to associate a user with Active Directory. The DN name is a composite of many AD components and is not fixed (e.g. CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM). Therefore if there orgnaisation unit changes or is renamed, or they marry and change there surname, etc, etc the link will be broken between FME Server and Active Directory. They will be no longer able to access FME Server, although they will still be listed as a user. I have seen this occur in many organisations.


I believe a better approach is to use the Active Directory SID which I do not believe changes for a user, and is unique to a domain. The other component to use would be a domain, as there may be more than one domain connected to FME Server. This way we would maintain a consistent link that is not affected by most AD changes.

This post is closed to further activity.
It may be a question with a best answer, an implemented idea, or just a post needing no comment.
If you have a follow-up or related question, please post a new question or idea.
If there is a genuine update to be made, please contact us and request that the post is reopened.

5 replies

rylanatsafe
Safer
Forum|alt.badge.img+13
  • Safer
  • January 24, 2020

Please note that in FME Server 2020.0 we have made some improvements to this experience.

If there is a name change in Active Directory that affects a User Account imported to FME Server, previous to FME Server 2020.0 (Build 20163), that user would not be able to login.

Now, that user will still be able to login with the "original" username.

This comes with a few important details...

  • the original User Account would need to be deleted and re-added to have the name updated in FME Server
  • both User Accounts cannot exist at the same time
  • synchronizing does not automatically update the username

 

Clear as mud? Let's try walking through an example....

  1. John Doe is imported to FME Server through an Active Directory connection. He logs into FME Server as "jdoe" without any issues, using his network password.
  2. John Doe changes his name to John Deer. Now his Active Directory username is "jdeer".
  3. John Deer must continue to login to FME Server with the username "jdoe".
  4. An FME Server Admin is unable to import "jdeer" to FME Server so long as the "jdoe" User Account exists on the same instance.

 

Please reach out if you have any questions or comments.


todd_davis
Influencer
Forum|alt.badge.img+22
  • Author
  • Influencer
  • January 27, 2020

Thanks, can I ask what AD details it is looking at?


rylanatsafe
Safer
Forum|alt.badge.img+13
  • Safer
  • January 27, 2020

@todd_davis ObjectGUID. Research by our Development Team identified that this value should not change.

Noting that ObjectSID/SID was also considered, but the ObjectGUID seemed to provide more benefits. For example, the SID will change if a user changes domains (though is stored in SIDHistory), but the GUID value will remain the same.


todd_davis
Influencer
Forum|alt.badge.img+22
  • Author
  • Influencer
  • January 27, 2020

Thanks...that's good to know, as someone is bound to ask me when I say it is changing for the better.


rylanatsafe
Safer
Forum|alt.badge.img+13
  • Safer
  • January 27, 2020

Very true! And I hope that we can resolve the caveats on the FME Server-side, that I noted in my comment. Currently, we run into complications with object-inheritance and the way UIDs for User Accounts are defined. (So that day will come where FME Server is more lenient on renaming objects itself...)


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings