Erwann Abalea wrote: > 2015-02-27 22:10 GMT+01:00 Bram Cymet <bcymet@cbnco.com>: >> >> I am using openldap 2.4.26. My system ignores case when doing binds: >> >> Feb 27 16:08:08 devauth slapd[2437]: conn=2723 op=1 BIND >> dn="uid=Bcymet@cbnco.com,ou=test_websales_users,dc=ls,dc=cbn" method=128 >> Feb 27 16:08:08 devauth slapd[2437]: => bdb_entry_get: found entry: >> "uid=bcymet@cbnco.com,ou=test_websales_users,dc=ls,dc=cbn" >> >> So this happily binds with bcymet@cbnco.com or Bcymet@cbnco.com and >> returns the same entry. > > That's because the "uid" attribute type is case insensitive. > Taken from RFC4519: > > ( 0.9.2342.19200300.100.1.1 NAME 'uid' > EQUALITY caseIgnoreMatch > SUBSTR caseIgnoreSubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Let's rephrase: The default equality matching rule used for 'uid' is case-insensitive which is also used to determine whether two DNs are equal. >> Is this a configuration error on my part? Is it possible to have case >> sensitive binds and if so what do I have to change? > > You could define your own attribute type and declare another matching rule > for it (caseExactMatch, for example). And use this attribute instead of > "uid". > Or consider that "BCYMET@CBNCO.COM" is the same "bcymet@cbnco.com", just > louder. I'd also suggest the easy solution: Normalize all user names to lower-case. One can also use slapo-constraint to enforce lower case values e.g. with a regex-constraint. But maybe the original poster should elaborate on his requirements and also mention the client software used. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature