On 6/6/22 06:06, Lucio De Re wrote:
Second, though, I'd like to point out that as it stands OpenLDAP does (or seems to, I'm no expert) support the specifications tightly and that is a good thing. Those who care about this, perhaps a dwindling community of old-fashion developers, will hopefully agree with me and consider this an opportunity to test clients for compliance, which would be more difficult if the standards are relaxed.
So I disagree with Felix that this is a show stopper and recommend staying within the boundaries of the standards as far as possible,
Which particular standard are you referring to?
AFAIK no standard mandates to return 'memberOf' values normalized to lower-case. I'd even argue that there's no standard defining 'memberOf' values in particular.
There is only RFC 4517 defining matching-rule distinguishedNameMatch which Quanah is referring to:
https://datatracker.ietf.org/doc/html/rfc4517#section-4.2.15
But on the other hand there's e.g. the POSIX standard defining POSIX "names" to be case-sensitive which is relevant when using posixGroup definition from RFC2307bis.
Like it or not, for strictly matching POSIX group names you *must* distinguish these values no matter what the LDAP matching rule says:
memberOf: cn=Foo,ou=1,dc=example,dc=com memberOf: cn=foo,ou=2,dc=example,dc=com
(note the different parent DNs)
=> Think twice before wiping Felix' request away and choose your poison.
For new deployments: Strictly use lower-cased user and group names for everything resulting in a POSIX name to avoid any of those "standards" conflicts. That's what I'm doing with Æ-DIR.
Ciao, Michael.
P.S.: Anybody here remembering Mark's DBIS effort? He addressed this conflict by defining his own schema:
https://ldapcon.org/2015/accepted-papers/dbis-directory-based-information-se...