[Date Prev][Date Next]
Re: MacOS X logins very, very slow or failing with Openldap 2.1.23...
Answering multiple responses here:
Quanah Gibson-Mount wrote:
Did not mean to offend you. I just overstate to obvious to less
informed lurkers might understand.
--On Tuesday, November 25, 2003 3:27 PM -0800 Quanah Gibson-Mount
--On Tuesday, November 25, 2003 6:15 PM -0500 Everette Gray Allen
My understanding of posixaccount is
cn, uid, uidNumber, gidNumber, homeDirectory
I'm quite aware of what cn is. ;)
Sec. 99.37 What conditions apply to disclosing directory information?
(a) An educational agency or institution may disclose directory
information if it has given public notice to parents of students in
attendance and eligible students in attendance at the agency or
(1) The types of personally identifiable information that the agency
or institution has designated as directory information;
(2) A parent's or eligible student's right to refuse to let the
agency or institution designate any or all of those types of information
about the student as directory information; and
(3) The period of time within which a parent or eligible student has
to notify the agency or institution in writing that he or she does not
want any or all of those types of information about the student
designated as directory information.
(b) An educational agency or institution may disclose directory
information about former students without meeting the conditions in
paragraph (a) of this section.
Essentially, if we get such a request, we simply blank out their name to
a "'". That fulfills the requirement, and allows us to continue to
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
From this it looks like our folks are being too strict in their
analysis. In our world however we do form uids based on a known formula
which involves the users initials, part of their last name, and adds a
sequential number in case of dups. Still if we did not expose cn then
there would be now way to get a name from the id for sure.
Thanks for the pointers!
Essentially, if we get such a request, we simply blank out their name to a "'". That fulfills the requirement, and allows us to continue to expose posixAccount.
We leave the 'cn' alone, but set a flag (FERPA) to True. This causes the server to return 'cn' (and other personal information) only to the bound user or certain administrative users. The lack of 'cn' has no effect on Mac OS X's use of posixAccount, nor any other implementation that I have experience with. I suspect that MUST 'cn' is a bug in the definition of posixAccount -- it doesn't really make sense that it's required. I can see why 'cn' is MUST for posixGroup. Does the password file require a name?
Seems reasonable if you are going to use the same database with more
secure access for other purposes. Is the FERPA flag restriction
enforced by access rules under slapd or some other mechanism when
loading the data into the ldap server?
My testing with OS X indicates that you really do not need cn. I have
been able to get by with uid, uidNumber, gidNumber and homeDirectory
(tho I did map RealName to uid). Actually if everyone has the same
primary gidNumber you might save a query on macos x by using #501 or
whatever as a static map. One might also be able to map NFSHome to
/Users/$uid$ or the like and really go with only uid and uidNumber
exposed but that would also require clever planning ahead of time :-).
Everette Gray Allen Systems Programmer II
ITD Computing Services Macintosh Support Specialist
2620 Hillsborough St, Campus Box 7109
Raleigh, NC 27695-7109