ldap attribute aliases

Howard Chu hyc at highlandsun.com
Sat Jan 15 07:46:10 GMT 2005 

Andrew Tridgell wrote:
> Howard,
> 
>  > This is by design, yes. The OpenLDAP server returns the canonical name 
>  > for any attributeTypes that it recognizes. The guiding policy here is 
>  > "be liberal in what you accept, but strict in what you produce."
> 
> I'd argue that that is broken,

You're not the first. But this isn't an argument for me, I was just 
explaining the state of affairs. E.g...
http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=2431
http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=2432

> and in fact is the exact opposite of
> "strict in what you produce" policy.
> 
> An application will typically do this:
> 
>   1) search for a set of attribiutes, say "uid" and "commonName"
> 
>   2) look through the reply for the attributes it asked for 
> 
> In the case of OpenLDAP the application will not find "commonName" in
> the reply. So the application, which obviously thinks the attribute is
> called "commonName" has to know about the details of the servers
> schema, and know that it should look for "cn" in the reply. That's
> just silly, as the point of allowing multiple names is to make
> applications that use them work!

> It might be OK if when asked for "CoMMonNaME" that OpenLDAP returns
> "commonName", thus canonicalizing the alias, but returning "cn" can't
> be right.
> 
> All this really proves to me is that nobody uses the secondary names
> for attributes in LDAP. They don't seem to work at all in w2k, and in
> OpenLDAP they work in a way that is completely pointless. I wonder if
> any LDAP server gets them right?

"right" is subjective in this case, since these short names are just 
another wart in the ugliness of the LDAP protocol. Keep in mind that 
LDAP is fundamentally a TCP-based access protocol for talking to an 
X.500 directory, and in X.500 there are no short names anywhere, only 
OIDs. As such, short names are purely a client presentation issue, not 
even an application-specific data issue. You can use any names you want 
as long as you can map them unambiguously to the OIDs you intended. This 
is one reason why attributeTypes in LDAP today are fundamentally broken.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support

More information about the samba-technical mailing list