Erwann Abalea wrote:
2015-02-27 22:10 GMT+01:00 Bram Cymet bcymet@cbnco.com:
I am using openldap 2.4.26. My system ignores case when doing binds:
Feb 27 16:08:08 devauth slapd[2437]: conn=2723 op=1 BIND dn="uid=Bcymet@cbnco.com,ou=test_websales_users,dc=ls,dc=cbn" method=128 Feb 27 16:08:08 devauth slapd[2437]: => bdb_entry_get: found entry: "uid=bcymet@cbnco.com,ou=test_websales_users,dc=ls,dc=cbn"
So this happily binds with bcymet@cbnco.com or Bcymet@cbnco.com and returns the same entry.
That's because the "uid" attribute type is case insensitive. Taken from RFC4519:
( 0.9.2342.19200300.100.1.1 NAME 'uid' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
Let's rephrase: The default equality matching rule used for 'uid' is case-insensitive which is also used to determine whether two DNs are equal.
Is this a configuration error on my part? Is it possible to have case sensitive binds and if so what do I have to change?
You could define your own attribute type and declare another matching rule for it (caseExactMatch, for example). And use this attribute instead of "uid". Or consider that "BCYMET@CBNCO.COM" is the same "bcymet@cbnco.com", just louder.
I'd also suggest the easy solution: Normalize all user names to lower-case. One can also use slapo-constraint to enforce lower case values e.g. with a regex-constraint.
But maybe the original poster should elaborate on his requirements and also mention the client software used.
Ciao, Michael.