ldap attribute aliases
Howard Chu
hyc at highlandsun.com
Sat Jan 15 07:46:10 GMT 2005
Andrew Tridgell wrote:
> Howard,
>
> > This is by design, yes. The OpenLDAP server returns the canonical name
> > for any attributeTypes that it recognizes. The guiding policy here is
> > "be liberal in what you accept, but strict in what you produce."
>
> I'd argue that that is broken,
You're not the first. But this isn't an argument for me, I was just
explaining the state of affairs. E.g...
http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=2431
http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=2432
> and in fact is the exact opposite of
> "strict in what you produce" policy.
>
> An application will typically do this:
>
> 1) search for a set of attribiutes, say "uid" and "commonName"
>
> 2) look through the reply for the attributes it asked for
>
> In the case of OpenLDAP the application will not find "commonName" in
> the reply. So the application, which obviously thinks the attribute is
> called "commonName" has to know about the details of the servers
> schema, and know that it should look for "cn" in the reply. That's
> just silly, as the point of allowing multiple names is to make
> applications that use them work!
> It might be OK if when asked for "CoMMonNaME" that OpenLDAP returns
> "commonName", thus canonicalizing the alias, but returning "cn" can't
> be right.
>
> All this really proves to me is that nobody uses the secondary names
> for attributes in LDAP. They don't seem to work at all in w2k, and in
> OpenLDAP they work in a way that is completely pointless. I wonder if
> any LDAP server gets them right?
"right" is subjective in this case, since these short names are just
another wart in the ugliness of the LDAP protocol. Keep in mind that
LDAP is fundamentally a TCP-based access protocol for talking to an
X.500 directory, and in X.500 there are no short names anywhere, only
OIDs. As such, short names are purely a client presentation issue, not
even an application-specific data issue. You can use any names you want
as long as you can map them unambiguously to the OIDs you intended. This
is one reason why attributeTypes in LDAP today are fundamentally broken.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
More information about the samba-technical
mailing list