G'Day Kurt
Yes, RFC 2307 is restrictive re: limiting the legal character set for the nisNetgroupTripleSyntax values to a "keystring" (ref: RFC 2252).
What I find irksome probably boils down to:- Since LDAP was originally designed to gateway requests to X.500 servers that the character set of an IA5String should be legal. (RFC 2307, section 2.4, X.500 nisNetgroupTripleSyntax)
With the added twist of the knife, that underscores are legal in the user CN's when doing the nisMapName=netgroup.byuser
Note: OS specific "bad chars" still need to be taken into account by the implementer.
Since the "nisNetgroupTripleSyntax" is unlikely to change from "keystring" to IA5String in the near future for OpenLDAP, I think I'll have to consider our options re: netgroup configuration and use.
Regards IT Manager 2
Kurt D. Zeilenga wrote:
At 09:26 PM 11/12/2006, temp1@ips.gov.au wrote:
Full_Name: IT Manager 2 Version: 2.3 & 2.4 OS: FreeBSD 6.2-PRERELEASE #0: Thu Oct 19 11:23:22 EST 2006 URL: Submission from: (NULL) (220.233.132.66)
Src ./servers/slapd/schema_init.c Function nisNetgroupTripleValidate
Fails validate of NIS Netgroup triplet when an underscore is used in a username, hostname or domainname.
I believe this is the intended behavior.
Which is allowable ie username bad chars are " ,\t:+&#%$^()!@~*?<>=|\/"".
RFC 2307 is more restrictive.
suggest change line } else if ( !AD_CHAR( *p ) ) { to } else if ( !(AD_CHAR( *p ) || (*p) == '_' ) ) {
Regards IT Manager 2
-
temp1@ips.gov.au