[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: matching leading space in uid lookup
Hi,
On Monday 19 May 2003 19:05, Steve Langasek wrote:
> On Mon, May 19, 2003 at 01:53:24PM +0200, Hallvard B Furuseth wrote:
> > > Samba is passing on what Windows passes to it, so I'm not sure Samba
> > > is broken, it's asking ldap if user " xxx" can authenticate with
> > > credentials y and ldap's saying yes user "xxx" can authenticate with
> > > credentials y. I don't see that " xxx" == "xxx"
> >
> > Most LDAP matching rules ignore initial and trailing space, and treat
> > multiple spaces as a single space. If Samba is using an attribute with
> > caseignoreMatch for values where initial space make a difference, Samba
> > is broken. It should then be using octet strings and OctetStringMatch
> > or something like that.
>
> Er, that's not a particularly useful recommendation when the attribute
> Samba needs to match on is 'uid', as used by many other schemas,
> 'posixAccount' among them. The real question is, why is Windows sending
> a username with leading spaces, and why is it desirable for such a
> username to NOT match the username in the directory that does not have
> leading spaces? Are there really multiple users in the directory whose
> uids differ only in terms of leading whitespace? Having Samba use its
> own non-standard attribs won't help much with the fact that LDAP thinks
> there are two unix users with the same name.
It may not sound useful at a first glance, but it is the only one that may
work in the long term if Samba needs to distinguish between " johndoe"
and "johndoe".
The cause of the problem is that samba chose an attribute with
caseIgnoreMatch that ignores leading and trailing spaces while
needing one that cares about those spaces.
As long as this cause is not eliminated any work will only cure symptoms.
The only alternative I can see for Samba is to keep uid with its
matching rules and to accept it with all its consequences.
In this case Samba needs a notion of normalization of usernames.
This normalization then needs to be formalized in a routine and the
routine has to be applied to every username.
Technically this is not very hard to do, but according to whether two
usernames are identical there will be a difference between the LDAP
backend and the other authentication backends.
Peter
--
Peter Marschall
eMail: peter@adpm.de