Re: Silly details like CN= v cn=

[Howard Chu <hyc@symas.com>]

Andrew Bartlett wrote:
> I've been working on making Samba4 pass it's testsuite with OpenLDAP as
> a backend.
>
> One of my tests does what no LDAP client should do - it applies a case
> sensitive comparison of the returned DN, compared with what we expect
> and get from AD.
>
> For example, we search for cn=ldaptestmachine and then ensure we get:
>
>  CN=ldaptestmachine,CN=Users,DC=samba,DC=example,DC=com
>
> OpenLDAP returns
>
>  cn=ldaptestmachine,cn=users,dc=samba,dc=example,dc=com
>
> which I'm sure is perfectly valid, but if I can write a bodgy script
> with case sensitive comparisons, so can an admin or sloppy app.  Working
> in the windows space makes me like to eliminate differences where I
> can.

It's not just perfectly valid, it is exactly correct. RFC4519 defines the 
attribute name to be 'cn' and we always return the canonical name for a given 
attribute. As always with Microsoft, AD is a broken abomination.

Of course, the point remains that attribute names are case-insensitive, and 
any user doing a case-sensitive compare on the attribute names is begging for 
disappointment.

> Can the case of the attribute names (CN and DC) in that DN be made to be
> UPPER case easily?  (Alternately I'll write a filter module on the
> Samba4 side to do that).

If you can do this easily on your side, that would be best. We could also 
write an overlay for the slapd side, but it would be far more effort than it's 
worth.

> Thanks,
>
> Andrew Bartlett


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/