[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-directory-users
Subject: =?utf-8?q?=5B389-users=5D?= Re: how to configure cn attribute case sensitive
From: Thierry Bordaz <tbordaz () redhat ! com>
Date: 2021-04-27 6:20:00
Message-ID: e2cd2f59-d26c-7402-687e-1cc7e8c21041 () redhat ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 4/27/21 5:38 AM, William Brown wrote:
>
> > On 27 Apr 2021, at 09:42, Mark Reynolds <mreynolds@redhat.com> wrote:
> >
> >
> > On 4/26/21 3:34 PM, Ghiurea, Isabella wrote:
> > > Hi List,
> > > I need help with the following ldap issue , we are running
> > > 389-ds-base-1.3.7.5-24.el7_5.x86_64
> > >
> > > -how to check if 389-DS is cfg to be case sensitive?
> > > - how to cfg the cn attribute which is indexed in my DS to be case \
> > > sensitive ?
> > Sorry, you can't (shouldn't). "cn" is a standard attribute with a predefined \
> > syntax. "cn" is used internally by the server for many things, and it is \
> > expected to be case insensitive. Making it case-sensitive could break things in \
> > ways that would be very difficult to troubleshoot. You should never attempt to \
> > modify the server's core schema. Especially "cn" - just look at all the entries \
> > under cn=config...
> I completely agree with Mark here. You should probably define a new custom \
> attribute instead that has the rules you need.
I also agree that changing a matching rule of a standard attribute is
not a good idea.
In case you want to do SRCH with 'cn' being case sensitive you may use
extensible syntax of the filter like:
# search with 'cn' using its default equality matching rule (case
insensitive)
ldapsearch -LLL ... -b 'ou=people,dc=example,dc=com' '(cn=demo user)'
dn: uid=demo_user,ou=people,dc=example,dc=com
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
uid: demo_user
cn: Demo User
displayName: Demo User
legalName: Demo User Name
uidNumber: 99998
gidNumber: 99998
homeDirectory: /var/empty
loginShell: /bin/false
# search with 'cn' using exact MR and the exact case of the 'cn' value
ldapsearch -LLL -h localhost -p 38901 -D 'cn=Directory Manager' -w
password -b 'ou=people,dc=example,dc=com' '(cn:caseExactMatch:=Demo
User)'
dn: uid=demo_user,ou=people,dc=example,dc=com
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
uid: demo_user
cn: Demo User
displayName: Demo User
legalName: Demo User Name
uidNumber: 99998
gidNumber: 99998
homeDirectory: /var/empty
loginShell: /bin/false
# the same search with exact MR but with a assertion value that
differs from attribute value
# returns no entry
ldapsearch -LLL...-b 'ou=people,dc=example,dc=com'
'(cn:caseExactMatch:=demo user)'
Note that if you are willing to us extensible search with exact MR, it
would also be good to index 'cn' with this MR (else you will trigger
unindexed search).
regards
thierry
>
>
> > Regards,
> >
> > Mark
> >
> > > Thank you
> > > Isabella
> > >
> > >
> > >
> > > _______________________________________________
> > > 389-users mailing list --
> > > 389-users@lists.fedoraproject.org
> > >
> > > To unsubscribe send an email to
> > > 389-users-leave@lists.fedoraproject.org
> > >
> > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > >
> > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > >
> > > List Archives:
> > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > >
> > > Do not reply to spam on the list, report it:
> > > https://pagure.io/fedora-infrastructure
> > --
> >
> > 389 Directory Server Development Team
> >
> > _______________________________________________
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> > Fedora Code of Conduct: \
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: \
> > https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: \
> > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org \
> > Do not reply to spam on the list, report it: \
> > https://pagure.io/fedora-infrastructure
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs, Australia
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: \
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: \
> https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: \
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do \
> not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 4/27/21 5:38 AM, William Brown
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2784790B-834F-4CB3-8F48-9B377C60BCD5@suse.de">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 27 Apr 2021, at 09:42, Mark Reynolds <a \
class="moz-txt-link-rfc2396E" \
href="mailto:mreynolds@redhat.com"><mreynolds@redhat.com></a> wrote:
On 4/26/21 3:34 PM, Ghiurea, Isabella wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi List,
I need help with the following ldap issue , we are running
389-ds-base-1.3.7.5-24.el7_5.x86_64
-how to check if 389-DS is cfg to be case sensitive?
- how to cfg the cn attribute which is indexed in my DS to be case sensitive ?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">Sorry, you can't (shouldn't). "cn" is a \
standard attribute with a predefined syntax. "cn" is used internally by the server \
for many things, and it is expected to be case insensitive. Making it case-sensitive \
could break things in ways that would be very difficult to troubleshoot. You should \
never attempt to modify the server's core schema. Especially "cn" - just look at all \
the entries under cn=config... </pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
I completely agree with Mark here. You should probably define a new custom attribute \
instead that has the rules you need. </pre> </blockquote>
<p>I also agree that changing a matching rule of a standard
attribute is not a good idea.</p>
<p>In case you want to do SRCH with 'cn' being case sensitive you
may use extensible syntax of the filter like:</p>
<blockquote>
<p><font face="monospace"># search with 'cn' using its default
equality matching rule (case insensitive)<br>
ldapsearch -LLL ... -b 'ou=people,dc=example,dc=com' '(cn=demo
user)'<br>
dn: uid=demo_user,ou=people,dc=example,dc=com<br>
objectClass: top<br>
objectClass: nsPerson<br>
objectClass: nsAccount<br>
objectClass: nsOrgPerson<br>
objectClass: posixAccount<br>
uid: demo_user<br>
cn: Demo User<br>
displayName: Demo User<br>
legalName: Demo User Name<br>
uidNumber: 99998<br>
gidNumber: 99998<br>
homeDirectory: /var/empty<br>
loginShell: /bin/false<br>
<br>
# search with 'cn' using exact MR and the exact case of the
'cn' value<br>
ldapsearch -LLL -h localhost -p 38901 -D 'cn=Directory
Manager' -w password -b 'ou=people,dc=example,dc=com'
'(cn:caseExactMatch:=Demo User)'<br>
dn: uid=demo_user,ou=people,dc=example,dc=com<br>
objectClass: top<br>
objectClass: nsPerson<br>
objectClass: nsAccount<br>
objectClass: nsOrgPerson<br>
objectClass: posixAccount<br>
uid: demo_user<br>
cn: Demo User<br>
displayName: Demo User<br>
legalName: Demo User Name<br>
uidNumber: 99998<br>
gidNumber: 99998<br>
homeDirectory: /var/empty<br>
loginShell: /bin/false<br>
<br>
# the same search with exact MR but with a assertion value
that differs from attribute value<br>
# returns no entry<br>
ldapsearch -LLL...-b 'ou=people,dc=example,dc=com'
'(cn:caseExactMatch:=demo user)'</font></p>
</blockquote>
<p><br>
</p>
<p>Note that if you are willing to us extensible search with exact
MR, it would also be good to index 'cn' with this MR (else you
will trigger unindexed search).</p>
<p>regards<br>
thierry<br>
</p>
<blockquote type="cite"
cite="mid:2784790B-834F-4CB3-8F48-9B377C60BCD5@suse.de">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
Regards,
Mark
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Thank you
Isabella
_______________________________________________
389-users mailing list --
<a class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
To unsubscribe send an email to
<a class="moz-txt-link-abbreviated" \
href="mailto:389-users-leave@lists.fedoraproject.org">389-users-leave@lists.fedoraproject.org</a>
Fedora Code of Conduct:
<a class="moz-txt-link-freetext" \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a>
List Guidelines:
<a class="moz-txt-link-freetext" \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines">https://fedoraproject.org/wiki/Mailing_list_guidelines</a>
List Archives:
<a class="moz-txt-link-freetext" \
href="https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org" \
>https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org</a>
Do not reply to spam on the list, report it:
<a class="moz-txt-link-freetext" \
href="https://pagure.io/fedora-infrastructure">https://pagure.io/fedora-infrastructure</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">--
389 Directory Server Development Team
_______________________________________________
389-users mailing list -- <a class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a> \
To unsubscribe send an email to <a class="moz-txt-link-abbreviated" \
href="mailto:389-users-leave@lists.fedoraproject.org">389-users-leave@lists.fedoraproject.org</a>
Fedora Code of Conduct: <a class="moz-txt-link-freetext" \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a>
List Guidelines: <a class="moz-txt-link-freetext" \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines">https://fedoraproject.org/wiki/Mailing_list_guidelines</a>
List Archives: <a class="moz-txt-link-freetext" \
href="https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org" \
>https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org</a> \
> Do not reply to spam on the list, report it: <a class="moz-txt-link-freetext" \
> href="https://pagure.io/fedora-infrastructure">https://pagure.io/fedora-infrastructure</a>
>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- <a class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a> \
To unsubscribe send an email to <a class="moz-txt-link-abbreviated" \
href="mailto:389-users-leave@lists.fedoraproject.org">389-users-leave@lists.fedoraproject.org</a>
Fedora Code of Conduct: <a class="moz-txt-link-freetext" \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a>
List Guidelines: <a class="moz-txt-link-freetext" \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines">https://fedoraproject.org/wiki/Mailing_list_guidelines</a>
List Archives: <a class="moz-txt-link-freetext" \
href="https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org" \
>https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org</a> \
> Do not reply to spam on the list, report it: <a class="moz-txt-link-freetext" \
> href="https://pagure.io/fedora-infrastructure">https://pagure.io/fedora-infrastructure</a>
>
</pre>
</blockquote>
</body>
</html>
[Attachment #6 (text/plain)]
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic