UPN suffix consistency

It is recommended that an AD domain be a subdomain of an organization’s top-level DNS domain name (e.g., ad.contoso.com). It is also recommended that each user’s user principal name (UPN) match their email address (e.g., jsmith@contoso.com).

Together, these recommendations lead to the need to add a secondary UPN suffix: one for the top-level domain. ADMan can ensure that users’ UPNs are consistently set.

References:

• Microsoft Docs: User Naming Attributes: userPrincipalName

• Samba Wiki: Active Directory Naming FAQ

Actions

For each configured container, ADMan will enumerate the users and change their userPrincipalName, if necessary, to match the desired UPN suffix.

Configuration

upn_suffixes is a mapping (dictionary) similar to the containers type, where the key is the the container holding the users to which the UPN suffix will be applied. The value is either 1. the UPN suffix to apply, or 2. a mapping with the following keys:

Config Key	Type	Default	Description
suffix	string	(required)	The UPN suffix to apply
scope	string	subtree	Scope of LDAP search in the container: either one or subtree

Example configuration

upn_suffixes:

  # The key is the container which specifies the set of users to which the UPN
  # suffix will be applied. There are two ways to specify the UPN suffix to be
  # applied to a container:

  # 1. The simple format just specifies the suffix:
  CN=Users: example.com

  # 2. The complex format allows the scope to be specified,
  # which can be either 'one' or 'subtree' (the default)
  OU=Special Users,OU=People:
    suffix: special.com
    scope: one

Commands

Relevant CLI commands:

• user setupns