Hi,
I wanted to know what all complex characters can be included for an UID attribute.
I have the following user names (uid).
Please let me know which which of the following uid's are invalid -
test_user: IT (LOC) sup_12$ test_user:IT(LOC) test_user-IT test_user IT test_user:IT test_user(IT) test_user.IT test_user/IT test_user/IT test_user#IT test_user*IT test_user@IT
Thanks, Vinay
Vinay,
Vinay Kalkoti schrieb am 23.02.2011 09:10 Uhr:
I wanted to know what all complex characters can be included for an UID attribute.
I have the following user names (uid).
Please let me know which which of the following uid's are invalid -
test_user: IT (LOC) sup_12$ test_user:IT(LOC) test_user-IT test_user IT test_user:IT test_user(IT) test_user.IT test_user/IT test_user/IT test_user#IT test_user*IT test_user@IT
IMHO from the ldap point of view this is all totally valid. As long as it is encoded in UTF-8. According to this http://www.andrew.cmu.edu/user/dd26/ldap.akbkhome.com/attribute/uid.html the syntax of uid is Directory String which does not limit you either.
Your application using uid may or may not have stricter rules than that...
Marc
But, the user account with "test_user:IT" is not able to login. I have setup an OpenLDAP server and am using OpenLDAP client on SLES machines.
SSH or "su - test_user:IT" fails. I see the following logs in /var/log/messages file.
Feb 23 11:09:41 server sshd[20549]: Invalid user test_user from 10.34.3.94 Feb 23 11:09:44 sverver sshd[20549]: error: PAM: User not known to the underlying authentication module for illegal user test_user from 10.34.3.94
*** Note that the logs just mention test_user instead of test_user:IT
Vinay
On Wed, Feb 23, 2011 at 2:37 PM, Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Vinay,
Vinay Kalkoti schrieb am 23.02.2011 09:10 Uhr:
I wanted to know what all complex characters can be included for an UID attribute.
I have the following user names (uid).
Please let me know which which of the following uid's are invalid -
test_user: IT (LOC) sup_12$ test_user:IT(LOC) test_user-IT test_user IT test_user:IT test_user(IT) test_user.IT test_user/IT test_user/IT test_user#IT test_user*IT test_user@IT
IMHO from the ldap point of view this is all totally valid. As long as it is encoded in UTF-8. According to this http://www.andrew.cmu.edu/user/dd26/ldap.akbkhome.com/attribute/uid.html the syntax of uid is Directory String which does not limit you either.
Your application using uid may or may not have stricter rules than that...
Marc
Hello, the ":" is a special character for Unix. (E.g. it's the column delimiter in /etc/passwd and friends.) So Unix forbids the usage of ":" in user names.
POSIX defines (http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_...):
--- To be portable across systems conforming to IEEE Std 1003.1-2001, the value is composed of characters from the portable filename character set. ---
This portable character set is defined as (http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_...):
---
The set of characters from which portable filenames are constructed.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 . _ -
The last three characters are the period, underscore, and hyphen characters, respectively.
---
So LDAP allows ":" in uid (because it has DirectoryString syntax) but the application (Unix/POSIX) forbids it.
Regards, Jochen.
Am 23.02.2011 11:39, schrieb Vinay Kalkoti:
But, the user account with "test_user:IT" is not able to login. I have setup an OpenLDAP server and am using OpenLDAP client on SLES machines.
SSH or "su - test_user:IT" fails. I see the following logs in /var/log/messages file.
Feb 23 11:09:41 server sshd[20549]: Invalid user test_user from 10.34.3.94 Feb 23 11:09:44 sverver sshd[20549]: error: PAM: User not known to the underlying authentication module for illegal user test_user from 10.34.3.94
*** Note that the logs just mention test_user instead of test_user:IT
Vinay
On Wed, Feb 23, 2011 at 2:37 PM, Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Vinay,
Vinay Kalkoti schrieb am 23.02.2011 09:10 Uhr:
I wanted to know what all complex characters can be included for an UID attribute.
I have the following user names (uid).
Please let me know which which of the following uid's are invalid -
test_user: IT (LOC) sup_12$ test_user:IT(LOC) test_user-IT test_user IT test_user:IT test_user(IT) test_user.IT test_user/IT test_user/IT test_user#IT test_user*IT test_user@IT
IMHO from the ldap point of view this is all totally valid. As long as it is encoded in UTF-8. According to this http://www.andrew.cmu.edu/user/dd26/ldap.akbkhome.com/attribute/uid.html the syntax of uid is Directory String which does not limit you either.
Your application using uid may or may not have stricter rules than that...
Marc
Keutel, Jochen (mlists) wrote:
Hello, the ":" is a special character for Unix. (E.g. it's the column delimiter in /etc/passwd and friends.) So Unix forbids the usage of ":" in user names.
POSIX defines (http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_...):
To be portable across systems conforming to IEEE Std 1003.1-2001, the value is composed of characters from the portable filename character set.
This portable character set is defined as (http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_...):
The set of characters from which portable filenames are constructed.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 . _ -The last three characters are the period, underscore, and hyphen characters, respectively.
So LDAP allows ":" in uid (because it has DirectoryString syntax) but the application (Unix/POSIX) forbids it.
Additionally if using SSH logins one should stick to lower-case chars.
Ciao, Michael.
Vinay,
Vinay Kalkoti schrieb am 23.02.2011 11:39 Uhr:
On Wed, Feb 23, 2011 at 2:37 PM, Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Vinay Kalkoti schrieb am 23.02.2011 09:10 Uhr:
I wanted to know what all complex characters can be included for an UID attribute.
I have the following user names (uid).
Please let me know which which of the following uid's are invalid -
test_user: IT (LOC) sup_12$ test_user:IT(LOC) test_user-IT test_user IT test_user:IT test_user(IT) test_user.IT test_user/IT test_user/IT test_user#IT test_user*IT test_user@IT
IMHO from the ldap point of view this is all totally valid. As long as it is encoded in UTF-8. According to this http://www.andrew.cmu.edu/user/dd26/ldap.akbkhome.com/attribute/uid.html the syntax of uid is Directory String which does not limit you either.
Your application using uid may or may not have stricter rules than that...
But, the user account with "test_user:IT" is not able to login. I have setup an OpenLDAP server and am using OpenLDAP client on SLES machines.
SSH or "su - test_user:IT" fails. I see the following logs in /var/log/messages file.
"Your application using uid" here is "sshd", check there.
Marc
openldap-technical@openldap.org
-
Keutel, Jochen (mlists) -
Marc Patermann -
Michael Ströder -
Vinay Kalkoti