ldap attribute aliases

Luke Howard lukeh at padl.com
Sat Jan 15 02:35:56 GMT 2005

>I've been looking into ldap attribute aliases a little more, and have
>some confusing results.
>I initially thought that we should implement a general attribute alias
>mechanism, which is pretty simple to do, as I thought they were common
>in LDAP. For example "surname" is an alias for "sn" and "commonName"
>is an alias for "cn". 

There are two different kinds of "aliases". (I'm using inverted commas
as aliases mean something completely different in LDAP.)

An attribute type (OID) can be associated with multiple names, as is
the case with "sn" and "surName" or "cn" and "commonName".

Active Directory also includes some attribute supertypes in returned
output (eg. "name" for the RDN value of an entry).

>The things that have me confused are:
> - The w2k3 LDAP server doesn't seem to know about these standard
>   aliases. A search for 'cn' works, but 'commonName' doesn't. 

A limitation in Active Directory.

> - w2k3 does know that distinguishedName is an alias for dn, and when
>   you search for distinguishedName you get back an attribute with the
>   name 'distinguishedName', which is what I would expect. 
> - I haven't found any other examples of working aliases on my w2k3
>   box. Is this really the only one?

I think so (apart from "name").

> - When you search for 'commonName' in an OpenLDAP server you get back
>   the attribute name 'cn', not 'commonName'. That seems very strange
>   to me. Is that just an OpenLDAP bug? It seems to be quite strange
>   from an API point of view, as it means that the application doing
>   the query then has to know about the alias, which makes the alias
>   quite useless. I would expect an LDAP server to return the name the
>   client used, not a canonicalized name, but this is just me trying
>   to apply common sense, not from reading the rfc.

That's a good question -- Howard?

>What I suspect is happening is that the w2k3 LDAP server does not
>support aliases at all, and that 'distinguishedName' is just an
>operational attribute (one that is auto-generated when asked for).
>Can anyone who is more familiar with LDAP confirm this for me? Jerry?
>LukeH ?

Correct, Active Directory does not support "aliases", but there are a
number of operational/constructed attributes.

The use of "distinguishedName", which is supposed to be an abstract
attribute supertype, is somewhat non-standard. But what isn't?

-- Luke


More information about the samba-technical mailing list