[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf values case

To: Howard Chu <hyc@symas.com>, Matteo Perego <matteo.perego@xego.it>, openldap-technical@openldap.org
Subject: Re: memberOf values case
From: Michael StrÃder <michael@stroeder.com>
Date: Wed, 26 Feb 2014 22:14:56 +0100
In-reply-to: <530E2741.2050900@symas.com>
References: <530DE7B1.4000200@xego.it> <530E2741.2050900@symas.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24

Howard Chu wrote:
> Matteo Perego wrote:
>> Hi,
>> I know that openldap usage behaviour is case insensitive.
> 
> False. OpenLDAP conforms to the schema. If an attribute is defined to be
> case-insensitive in the schema, then it will be treated as such. If it is
> defined to be case-sensitive, that will also be done.
> 
>> In my case a client use ldap attribute values in a case sensitive way.
> 
> Your client should use attributes that are actually defined as case sensitive
> then. Fix your schema or fix your clients.

The case-sensitive vs. case-insensitive discussions are often very misleading:
In general one has to distinguish matching/comparing (when searching) from
storing (add/modify/modrdn).

For the original poster:

Even if the attribute type description declares case-insensitive matching
rules for matching/comparing OpenLDAP always behaves case-preserving when
storing attribute values. Actually this is a good thing: You can correct
"matteo" to "Matteo" even though both will result in the same match during
searching.

In case of DNs matching is a bit more complex. The matching is done component
by component as defined here:

http://tools.ietf.org/html/rfc4517#section-4.2.15

LDAP applications have to be prepared to handle case-sensitive vs.
case-sensitive matching but should also support case-preserving when sending
data. Furthermore applications should handle DNs as opaque and avoid matching
them at the client-side if not capable to do it fully right with complete
schema knowledge.

To Howard:

If I understand the original posting correctly in this particular case
slapo-memberof uses the DN value of the modify request instead of the DN value
of the real entry in the database as attribute value for 'memberOf'.

Indeed this raises an interesting question regarding *which* case to preserve
when storing the 'memberOf' attribute value. It's not necessarily right to
take it from the modify request because values in 'memberOf' and the real DN
can differ.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: memberOf values case
  - From: Matteo Perego <matteo.perego@xego.it>

References:
- memberOf values case
  - From: Matteo Perego <matteo.perego@xego.it>
- Re: memberOf values case
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
Next by Date: Re: Not able to authenticate Windows and MAC client
Index(es):
- Chronological
- Thread