ldap attribute aliases

Andrew Tridgell tridge at osdl.org
Sat Jan 15 07:18:57 GMT 2005


 > This is by design, yes. The OpenLDAP server returns the canonical name 
 > for any attributeTypes that it recognizes. The guiding policy here is 
 > "be liberal in what you accept, but strict in what you produce."

I'd argue that that is broken, and in fact is the exact opposite of
"strict in what you produce" policy.

An application will typically do this:

  1) search for a set of attribiutes, say "uid" and "commonName"

  2) look through the reply for the attributes it asked for 

In the case of OpenLDAP the application will not find "commonName" in
the reply. So the application, which obviously thinks the attribute is
called "commonName" has to know about the details of the servers
schema, and know that it should look for "cn" in the reply. That's
just silly, as the point of allowing multiple names is to make
applications that use them work!

It might be OK if when asked for "CoMMonNaME" that OpenLDAP returns
"commonName", thus canonicalizing the alias, but returning "cn" can't
be right.

All this really proves to me is that nobody uses the secondary names
for attributes in LDAP. They don't seem to work at all in w2k, and in
OpenLDAP they work in a way that is completely pointless. I wonder if
any LDAP server gets them right?

Cheers, Tridge

More information about the samba-technical mailing list