Re: Relative Distinguished Name searches

[Pierangelo Masarati <ando@sys-net.it>]

Andrew Bartlett wrote:
> In Samba4, I currently have a module that creates and maintains the
> 'name' attribute for our AD look-alike.  Unlike in other systems, where
> this is related to 'cn', in AD this is always the relative distinguished
> name. 
> 
> I wondered if it might be possible (by some extended matching of some
> kind) to transform a search of 'name=foo' into something that does not
> require the manual maintenance of a samba4RDN attribute?
> 
> (such a matching might then avoid problems if, in future, we allow
> clients direct access to the backend). 

Do you mean that 'name=foo' will match any entry whose distinguished
value is 'foo' regardless of the naming attribute?  In that case, the
only possibility I see consists in converting the filter 'name=foo' into
something like ':dn:caseIgnoreMatch:=foo' [*], but this would also match
all children of an entry whose distinguished value is 'foo' and whose
naming attribute complies with case-insensitive directory string
matching, so it might not be what you're looking for; then your module
would need to further check the search entries to eliminate false
positives.  I wonder why this ':dn:' extension was added; what you'd
need is sort of a ':rdn:' extension that only looks for matches in the
relative dn.

p.

[*] I used caseIgnoreMatch because filtering for 'name' implies
accepting its equality matching rule.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------