[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Username case
- To: openldap-technical@openldap.org
- Subject: Re: Username case
- From: Michael Ströder <michael@stroeder.com>
- Date: Wed, 14 Aug 2019 10:02:24 +0200
- Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
- Content-language: en-US
- In-reply-to: <59A1EC7FB57F5649201E5D92@[192.168.1.144]>
- Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
- References: <1949492507.5014884.1565709926213.ref@mail.yahoo.com> <1949492507.5014884.1565709926213@mail.yahoo.com> <59A1EC7FB57F5649201E5D92@[192.168.1.144]>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
On 8/14/19 1:09 AM, Quanah Gibson-Mount wrote:
> --On Tuesday, August 13, 2019 4:25 PM +0000 JC
> <lovecraftesque@yahoo.com> wrote:
>> Now it seems to be the case that, with a user entry in OpenLDAP as
>> described above, getpwnam("james") will look for an entry such that the
>> its uid attribute takes the value "james". I.e. if the value of uid is,
>> say, "James" then it will be ignored. Which, following the discussion
>> above, doesn't fit my goal.
>
> The "uid" attribute is explicitly defined to be case insensitive in
> RFC1274, see section 9.3.1 "userid". This is reflected in the OpenLDAP
> core schema:
Some more notes to add:
Having EQUALITY caseIgnoreMatch means that "(uid=james)" and
"(uid=James)" will return entries containing all variants of etc. JAMES,
James, jAmEs.
This also means that enabling unique overlay (slapo-unique) will enforce
case-insensitive uniqueness on uid values, so that there are now two
distinct entries matching uid=james and uid=James.
This solves searching for the entry by user name.
The other big problem is that POSIX standard defines all POSIX names
(user names, group names) to be case-sensitive. This matches also the
case-sensitive file name semantics. So one has to look more closely on
how the NSS subsystem used handles this. The default for nss-pam-ldapd
(aka nslcd) treats 'uid' values retrieved from LDAP server as
case-sensitive.
Even if you switch to case-insensitive handling in /etc/nslcd.conf you
might run into issues with applications consuming the data via NSS.
To avoid all this mess in my Æ-DIR I'm always normalizing the 'uid'
values (and 'cn' values in group entries) to lower-case and avoid mixed
cases by proper data maintenance.
Ciao, Michael.