Hi, I know that openldap usage behaviour is case insensitive. In my case a client use ldap attribute values in a case sensitive way.
I've noticed that the memberOf value is created by the overlay using the DN case used in the query and not the DN case read from the database, I mean:
dn: cn=test,ou=LOCAL,dc=example,dc=org changetype: modify replace: member member: uid=123,ou=people,dc=example,dc=org
will create a memberOf: cn=test,ou=LOCAL,dc=example,dc=org attribute.
dn: cn=test,ou=local,dc=example,dc=org changetype: modify replace: member member: uid=123,ou=people,dc=example,dc=org
will create a memberOf: cn=test,ou=local,dc=example,dc=org attribute.
The case of OU entry in the database is not considered and the values case depends on the writer client.
I'm wondering if this's a known and desidered behaviour and I should deal with it or there's a chance to change it.
Matteo Perego wrote:
Hi, I know that openldap usage behaviour is case insensitive.
False. OpenLDAP conforms to the schema. If an attribute is defined to be case-insensitive in the schema, then it will be treated as such. If it is defined to be case-sensitive, that will also be done.
In my case a client use ldap attribute values in a case sensitive way.
Your client should use attributes that are actually defined as case sensitive then. Fix your schema or fix your clients.
Howard Chu wrote:
Matteo Perego wrote:
Hi, I know that openldap usage behaviour is case insensitive.
False. OpenLDAP conforms to the schema. If an attribute is defined to be case-insensitive in the schema, then it will be treated as such. If it is defined to be case-sensitive, that will also be done.
In my case a client use ldap attribute values in a case sensitive way.
Your client should use attributes that are actually defined as case sensitive then. Fix your schema or fix your clients.
The case-sensitive vs. case-insensitive discussions are often very misleading: In general one has to distinguish matching/comparing (when searching) from storing (add/modify/modrdn).
For the original poster:
Even if the attribute type description declares case-insensitive matching rules for matching/comparing OpenLDAP always behaves case-preserving when storing attribute values. Actually this is a good thing: You can correct "matteo" to "Matteo" even though both will result in the same match during searching.
In case of DNs matching is a bit more complex. The matching is done component by component as defined here:
http://tools.ietf.org/html/rfc4517#section-4.2.15
LDAP applications have to be prepared to handle case-sensitive vs. case-sensitive matching but should also support case-preserving when sending data. Furthermore applications should handle DNs as opaque and avoid matching them at the client-side if not capable to do it fully right with complete schema knowledge.
To Howard:
If I understand the original posting correctly in this particular case slapo-memberof uses the DN value of the modify request instead of the DN value of the real entry in the database as attribute value for 'memberOf'.
Indeed this raises an interesting question regarding *which* case to preserve when storing the 'memberOf' attribute value. It's not necessarily right to take it from the modify request because values in 'memberOf' and the real DN can differ.
Ciao, Michael.
Il 26/02/2014 22:14, Michael Ströder ha scritto:
If I understand the original posting correctly in this particular case slapo-memberof uses the DN value of the modify request instead of the DN value of the real entry in the database as attribute value for 'memberOf'.
Indeed this raises an interesting question regarding *which* case to preserve when storing the 'memberOf' attribute value. It's not necessarily right to take it from the modify request because values in 'memberOf' and the real DN can differ.
Ciao, Michael.
Hi Michael, that's what I meant. In my case, indeed, I need to read a consistent case memberOf value, so I should ensure that all the writers uses the correct DN case during the group MODs or that the reader can modify the read value case.
Ciao, Matteo
openldap-technical@openldap.org
-
Howard Chu -
Matteo Perego -
Michael Ströder