[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Case Sensitive Binds

Erwann Abalea wrote:
> 2015-02-27 22:10 GMT+01:00 Bram Cymet <bcymet@cbnco.com>:
>> I am using openldap 2.4.26. My system ignores case when doing binds:
>> Feb 27 16:08:08 devauth slapd[2437]: conn=2723 op=1 BIND
>> dn="uid=Bcymet@cbnco.com,ou=test_websales_users,dc=ls,dc=cbn" method=128
>> Feb 27 16:08:08 devauth slapd[2437]: => bdb_entry_get: found entry:
>> "uid=bcymet@cbnco.com,ou=test_websales_users,dc=ls,dc=cbn"
>> So this happily binds with bcymet@cbnco.com or Bcymet@cbnco.com and
>> returns the same entry.
> That's because the "uid" attribute type is case insensitive.
> Taken from RFC4519:
> ( 0.9.2342.19200300.100.1.1 NAME 'uid'
>          EQUALITY caseIgnoreMatch
>          SUBSTR caseIgnoreSubstringsMatch
>          SYNTAX )

Let's rephrase: The default equality matching rule used for 'uid' is
case-insensitive which is also used to determine whether two DNs are equal.

>> Is this a configuration error on my part? Is it possible to have case
>> sensitive binds and if so what do I have to change?
> You could define your own attribute type and declare another matching rule
> for it (caseExactMatch, for example). And use this attribute instead of
> "uid".
> Or consider that "BCYMET@CBNCO.COM" is the same "bcymet@cbnco.com", just
> louder.

I'd also suggest the easy solution:
Normalize all user names to lower-case. One can also use slapo-constraint to
enforce lower case values e.g. with a regex-constraint.

But maybe the original poster should elaborate on his requirements and also
mention the client software used.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature