Hi List, I need help with the following ldap issue , we are running 389-ds-base-1.3.7.5-24.el7_5.x86_64
-how to check if 389-DS is cfg to be case sensitive? - how to cfg the cn attribute which is indexed in my DS to be case sensitive ? Thank you Isabella
On 4/26/21 3:34 PM, Ghiurea, Isabella wrote:
Hi List,
I need help with the following ldap issue , we are running
389-ds-base-1.3.7.5-24.el7_5.x86_64
-how to check if 389-DS is cfg to be case sensitive?
- how to cfg the cn attribute which is indexed in my DS to be case
sensitive ?
Sorry, you can't (shouldn't). "cn" is a standard attribute with a predefined syntax. "cn" is used internally by the server for many things, and it is expected to be case insensitive. Making it case-sensitive could break things in ways that would be very difficult to troubleshoot. You should never attempt to modify the server's core schema. Especially "cn" - just look at all the entries under cn=config...
Regards,
Mark
Thank you
Isabella
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 27 Apr 2021, at 09:42, Mark Reynolds mreynolds@redhat.com wrote:
On 4/26/21 3:34 PM, Ghiurea, Isabella wrote:
Hi List, I need help with the following ldap issue , we are running 389-ds-base-1.3.7.5-24.el7_5.x86_64
-how to check if 389-DS is cfg to be case sensitive?
- how to cfg the cn attribute which is indexed in my DS to be case sensitive ?
Sorry, you can't (shouldn't). "cn" is a standard attribute with a predefined syntax. "cn" is used internally by the server for many things, and it is expected to be case insensitive. Making it case-sensitive could break things in ways that would be very difficult to troubleshoot. You should never attempt to modify the server's core schema. Especially "cn" - just look at all the entries under cn=config...
I completely agree with Mark here. You should probably define a new custom attribute instead that has the rules you need.
Regards,
Mark
Thank you Isabella
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
389 Directory Server Development Team
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs, Australia
On 4/27/21 5:38 AM, William Brown wrote:
On 27 Apr 2021, at 09:42, Mark Reynolds mreynolds@redhat.com wrote:
On 4/26/21 3:34 PM, Ghiurea, Isabella wrote:
Hi List, I need help with the following ldap issue , we are running 389-ds-base-1.3.7.5-24.el7_5.x86_64
-how to check if 389-DS is cfg to be case sensitive?
- how to cfg the cn attribute which is indexed in my DS to be case sensitive ?
Sorry, you can't (shouldn't). "cn" is a standard attribute with a predefined syntax. "cn" is used internally by the server for many things, and it is expected to be case insensitive. Making it case-sensitive could break things in ways that would be very difficult to troubleshoot. You should never attempt to modify the server's core schema. Especially "cn" - just look at all the entries under cn=config...
I completely agree with Mark here. You should probably define a new custom attribute instead that has the rules you need.
I also agree that changing a matching rule of a standard attribute is not a good idea.
In case you want to do SRCH with 'cn' being case sensitive you may use extensible syntax of the filter like:
# search with 'cn' using its default equality matching rule (case insensitive) ldapsearch -LLL ... -b 'ou=people,dc=example,dc=com' '(cn=demo user)' dn: uid=demo_user,ou=people,dc=example,dc=com objectClass: top objectClass: nsPerson objectClass: nsAccount objectClass: nsOrgPerson objectClass: posixAccount uid: demo_user cn: Demo User displayName: Demo User legalName: Demo User Name uidNumber: 99998 gidNumber: 99998 homeDirectory: /var/empty loginShell: /bin/false
# search with 'cn' using exact MR and the exact case of the 'cn' value ldapsearch -LLL -h localhost -p 38901 -D 'cn=Directory Manager' -w password -b 'ou=people,dc=example,dc=com' '(cn:caseExactMatch:=Demo User)' dn: uid=demo_user,ou=people,dc=example,dc=com objectClass: top objectClass: nsPerson objectClass: nsAccount objectClass: nsOrgPerson objectClass: posixAccount uid: demo_user cn: Demo User displayName: Demo User legalName: Demo User Name uidNumber: 99998 gidNumber: 99998 homeDirectory: /var/empty loginShell: /bin/false
# the same search with exact MR but with a assertion value that differs from attribute value # returns no entry ldapsearch -LLL...-b 'ou=people,dc=example,dc=com' '(cn:caseExactMatch:=demo user)'
Note that if you are willing to us extensible search with exact MR, it would also be good to index 'cn' with this MR (else you will trigger unindexed search).
regards thierry
Regards,
Mark
Thank you Isabella
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
389 Directory Server Development Team
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Thank you Mark, William for reply , how about this user attribute : "DistinguishedName" in our DS this is matching the cn attributes for string values . Should we consider to enable "Case Exact Match " for this last attribute and rebuild the index? Thank you Isabella
From: Mark Reynolds [mailto:mreynolds@redhat.com] Sent: Monday, April 26, 2021 4:42 PM To: Ghiurea, Isabella; General discussion list for the 389 Directory server project. Subject: Re: [389-users] how to configure cn attribute case sensitive
***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC
On 4/26/21 3:34 PM, Ghiurea, Isabella wrote: Hi List, I need help with the following ldap issue , we are running 389-ds-base-1.3.7.5-24.el7_5.x86_64
-how to check if 389-DS is cfg to be case sensitive? - how to cfg the cn attribute which is indexed in my DS to be case sensitive ?
Sorry, you can't (shouldn't). "cn" is a standard attribute with a predefined syntax. "cn" is used internally by the server for many things, and it is expected to be case insensitive. Making it case-sensitive could break things in ways that would be very difficult to troubleshoot. You should never attempt to modify the server's core schema. Especially "cn" - just look at all the entries under cn=config...
Regards,
Mark Thank you Isabella
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.orgmailto:389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
389 Directory Server Development Team
Distinguished name is already used (dn).
I'd probably choose something more like corpCn or mycn or something like that. nrcCn maybe?
On 27 Apr 2021, at 14:16, Ghiurea, Isabella Isabella.Ghiurea@nrc-cnrc.gc.ca wrote:
Thank you Mark, William for reply , how about this user attribute : “DistinguishedName” in our DS this is matching the cn attributes for string values . Should we consider to enable “Case Exact Match “ for this last attribute and rebuild the index? Thank you Isabella
From: Mark Reynolds [mailto:mreynolds@redhat.com] Sent: Monday, April 26, 2021 4:42 PM To: Ghiurea, Isabella; General discussion list for the 389 Directory server project. Subject: Re: [389-users] how to configure cn attribute case sensitive
***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC
On 4/26/21 3:34 PM, Ghiurea, Isabella wrote: Hi List, I need help with the following ldap issue , we are running 389-ds-base-1.3.7.5-24.el7_5.x86_64
-how to check if 389-DS is cfg to be case sensitive?
- how to cfg the cn attribute which is indexed in my DS to be case sensitive ?
Sorry, you can't (shouldn't). "cn" is a standard attribute with a predefined syntax. "cn" is used internally by the server for many things, and it is expected to be case insensitive. Making it case-sensitive could break things in ways that would be very difficult to troubleshoot. You should never attempt to modify the server's core schema. Especially "cn" - just look at all the entries under cn=config...
Regards,
Mark
Thank you Isabella
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure --
389 Directory Server Development Team
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs, Australia
389-users@lists.fedoraproject.org