[Date Prev][Date Next]
Re: OpenLDAP and "reverse" wildcards
Howard Chu wrote:
Yes, most of the logic belongs in the application, but you can get some
help from LDAP if you design your DIT properly.
from my (limited) experience, the answer is always: the DIT has already
been designed with other needs in mind, so it is a constraint rather
than an opportunity. For which is which, I concur your suggestion would
make things naturally simple as they should be, but it requires:
- to change the DIT design
- to change the logics of the client and provisioning applications
so it looks much easier to hack the process in between.
Remember that a directory is a hierarchical name space; if you don't
take advantage of that fact then you may as well just use an RDBMS.
Telephone numbers are also a hierarchical name space; there's a natural
mapping that makes this problem simple:
Given a user with subscriber number xxx-yyyyy just split the number into
Make the application always transform its lookups to match this naming
scheme. Then, for users who are "local" to the system, you do a base
search on exactly their number. For 123-4567, lookup
If it exists, you get the result back immediately. If the query is
999-12345 and only the prefix exists, then your lookup for
will fail, and the result will come back with a matchedDN of
Then your app just has to look up the matchedDN entry, and proceed from
there. "Wildcards" are unnecessary.
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497