Andrew Bartlett wrote:

In Samba4, I currently have a module that creates and maintains the 'name' attribute for our AD look-alike. Unlike in other systems, where this is related to 'cn', in AD this is always the relative distinguished name.

I wondered if it might be possible (by some extended matching of some kind) to transform a search of 'name=foo' into something that does not require the manual maintenance of a samba4RDN attribute?

(such a matching might then avoid problems if, in future, we allow clients direct access to the backend).

Do you mean that 'name=foo' will match any entry whose distinguished value is 'foo' regardless of the naming attribute? In that case, the only possibility I see consists in converting the filter 'name=foo' into something like ':dn:caseIgnoreMatch:=foo' [*], but this would also match all children of an entry whose distinguished value is 'foo' and whose naming attribute complies with case-insensitive directory string matching, so it might not be what you're looking for; then your module would need to further check the search entries to eliminate false positives. I wonder why this ':dn:' extension was added; what you'd need is sort of a ':rdn:' extension that only looks for matches in the relative dn.

p.

[*] I used caseIgnoreMatch because filtering for 'name' implies accepting its equality matching rule.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------