[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Relative Distinguished Name searches
Andrew Bartlett wrote:
> In Samba4, I currently have a module that creates and maintains the
> 'name' attribute for our AD look-alike. Unlike in other systems, where
> this is related to 'cn', in AD this is always the relative distinguished
> name.
>
> I wondered if it might be possible (by some extended matching of some
> kind) to transform a search of 'name=foo' into something that does not
> require the manual maintenance of a samba4RDN attribute?
>
> (such a matching might then avoid problems if, in future, we allow
> clients direct access to the backend).
Do you mean that 'name=foo' will match any entry whose distinguished
value is 'foo' regardless of the naming attribute? In that case, the
only possibility I see consists in converting the filter 'name=foo' into
something like ':dn:caseIgnoreMatch:=foo' [*], but this would also match
all children of an entry whose distinguished value is 'foo' and whose
naming attribute complies with case-insensitive directory string
matching, so it might not be what you're looking for; then your module
would need to further check the search entries to eliminate false
positives. I wonder why this ':dn:' extension was added; what you'd
need is sort of a ':rdn:' extension that only looks for matches in the
relative dn.
p.
[*] I used caseIgnoreMatch because filtering for 'name' implies
accepting its equality matching rule.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------