ldap attribute aliases
Andrew Tridgell
tridge at osdl.org
Sat Jan 15 07:18:57 GMT 2005
Howard,
> This is by design, yes. The OpenLDAP server returns the canonical name
> for any attributeTypes that it recognizes. The guiding policy here is
> "be liberal in what you accept, but strict in what you produce."
I'd argue that that is broken, and in fact is the exact opposite of
"strict in what you produce" policy.
An application will typically do this:
1) search for a set of attribiutes, say "uid" and "commonName"
2) look through the reply for the attributes it asked for
In the case of OpenLDAP the application will not find "commonName" in
the reply. So the application, which obviously thinks the attribute is
called "commonName" has to know about the details of the servers
schema, and know that it should look for "cn" in the reply. That's
just silly, as the point of allowing multiple names is to make
applications that use them work!
It might be OK if when asked for "CoMMonNaME" that OpenLDAP returns
"commonName", thus canonicalizing the alias, but returning "cn" can't
be right.
All this really proves to me is that nobody uses the secondary names
for attributes in LDAP. They don't seem to work at all in w2k, and in
OpenLDAP they work in a way that is completely pointless. I wonder if
any LDAP server gets them right?
Cheers, Tridge
More information about the samba-technical
mailing list