[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and "reverse" wildcards

Howard Chu wrote:

Yes, most of the logic belongs in the application, but you can get some help from LDAP if you design your DIT properly.


from my (limited) experience, the answer is always: the DIT has already been designed with other needs in mind, so it is a constraint rather than an opportunity. For which is which, I concur your suggestion would make things naturally simple as they should be, but it requires:

- to change the DIT design

- to change the logics of the client and provisioning applications

so it looks much easier to hack the process in between.


Remember that a directory is a hierarchical name space; if you don't take advantage of that fact then you may as well just use an RDBMS.

Telephone numbers are also a hierarchical name space; there's a natural mapping that makes this problem simple:

Given a user with subscriber number xxx-yyyyy just split the number into two components:

Make the application always transform its lookups to match this naming scheme. Then, for users who are "local" to the system, you do a base search on exactly their number. For 123-4567, lookup

If it exists, you get the result back immediately. If the query is 999-12345 and only the prefix exists, then your lookup for
will fail, and the result will come back with a matchedDN of prefix=999,ou=subscribers,dc=example,dc=com

Then your app just has to look up the matchedDN entry, and proceed from there. "Wildcards" are unnecessary.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it