ldap attribute aliases

Andrew Tridgell tridge at osdl.org
Sat Jan 15 01:57:26 GMT 2005

I've been looking into ldap attribute aliases a little more, and have
some confusing results.

I initially thought that we should implement a general attribute alias
mechanism, which is pretty simple to do, as I thought they were common
in LDAP. For example "surname" is an alias for "sn" and "commonName"
is an alias for "cn". 

The things that have me confused are:

 - The w2k3 LDAP server doesn't seem to know about these standard
   aliases. A search for 'cn' works, but 'commonName' doesn't. 

 - w2k3 does know that distinguishedName is an alias for dn, and when
   you search for distinguishedName you get back an attribute with the
   name 'distinguishedName', which is what I would expect. 

 - I haven't found any other examples of working aliases on my w2k3
   box. Is this really the only one?

 - When you search for 'commonName' in an OpenLDAP server you get back
   the attribute name 'cn', not 'commonName'. That seems very strange
   to me. Is that just an OpenLDAP bug? It seems to be quite strange
   from an API point of view, as it means that the application doing
   the query then has to know about the alias, which makes the alias
   quite useless. I would expect an LDAP server to return the name the
   client used, not a canonicalized name, but this is just me trying
   to apply common sense, not from reading the rfc.

What I suspect is happening is that the w2k3 LDAP server does not
support aliases at all, and that 'distinguishedName' is just an
operational attribute (one that is auto-generated when asked for).
Can anyone who is more familiar with LDAP confirm this for me? Jerry?
LukeH ?

Cheers, Tridge

More information about the samba-technical mailing list