[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: matching leading space in uid lookup

To: Peter Marschall <peter@adpm.de>
Subject: Re: matching leading space in uid lookup
From: Steve Langasek <vorlon@netexpress.net>
Date: Mon, 19 May 2003 16:10:38 -0500
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <200305192014.46879.peter@adpm.de>
References: <5.2.0.9.0.20030519110231.02bcb820@spey> <HBF.20030519lwbf@bombur.uio.no> <20030519170533.GN18716@tennyson.netexpress.net> <200305192014.46879.peter@adpm.de>
User-agent: Mutt/1.4i

On Mon, May 19, 2003 at 08:14:46PM +0200, Peter Marschall wrote:

> On Monday 19 May 2003 19:05, Steve Langasek wrote:
> > On Mon, May 19, 2003 at 01:53:24PM +0200, Hallvard B Furuseth wrote:
> > > > Samba is passing on what Windows passes to it, so I'm not sure Samba
> > > > is broken, it's asking ldap if user " xxx" can authenticate with
> > > > credentials y and ldap's saying yes user "xxx" can authenticate with
> > > > credentials y.  I don't see that " xxx" == "xxx"

> > > Most LDAP matching rules ignore initial and trailing space, and treat
> > > multiple spaces as a single space.  If Samba is using an attribute with
> > > caseignoreMatch for values where initial space make a difference, Samba
> > > is broken.  It should then be using octet strings and OctetStringMatch
> > > or something like that.

> > Er, that's not a particularly useful recommendation when the attribute
> > Samba needs to match on is 'uid', as used by many other schemas,
> > 'posixAccount' among them.  The real question is, why is Windows sending
> > a username with leading spaces, and why is it desirable for such a
> > username to NOT match the username in the directory that does not have
> > leading spaces?  Are there really multiple users in the directory whose
> > uids differ only in terms of leading whitespace?  Having Samba use its
> > own non-standard attribs won't help much with the fact that LDAP thinks
> > there are two unix users with the same name.

> It may not sound useful at a first glance, but it is the only one that may 
> work in the long term if Samba needs to distinguish between " johndoe"
> and "johndoe".

*Samba* does not need to distinguish between them unless *the local
system* needs to distinguish between them.  Samba's concept of user
identities should in all cases directly match that of the underlying
Unix system; and if LDAP with posixAccounts can't meaningfully
distinguish between two usernames when used as an NSS backend, why
should it be expected to work in Samba, either?

I unfortunately cannot speak to whether Windows treats leading
whitespace as meaningful in usernames, because frankly, I've never heard
of anyone doing this and can't think of any good reason *to* do this.
And while Windows 2000 with AD does use LDAP, I know their schema
diverges from the RFCs in a number of areas, so I can't even be certain
that this isn't one of them.  Regardless, if Windows accepts such
usernames as unique but LDAP doesn't, it's a system policy bug -- not a
software bug.

-- 
Steve Langasek
postmodern programmer

Attachment: pgpqkPfLwqyKr.pgp
Description: PGP signature

References:
- matching leading space in uid lookup
  - From: Duncan Brannen <dbb@st-andrews.ac.uk>
- Re: matching leading space in uid lookup
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: matching leading space in uid lookup
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: matching leading space in uid lookup
  - From: Peter Marschall <peter@adpm.de>

Prev by Date: Uhhh, something went wrong...need help
Next by Date: RE: slave slapd crashing on MOD operation
Index(es):
- Chronological
- Thread