Re: how to configure cn attribute case sensitive

[Thierry Bordaz <tbordaz@xxxxxxxxxx>]

On 4/27/21 5:38 AM, William Brown wrote:

> > On 27 Apr 2021, at 09:42, Mark Reynolds <mreynolds@xxxxxxxxxx> wrote:
> >
> >
> > On 4/26/21 3:34 PM, Ghiurea, Isabella wrote:
> > > Hi List,
> > > I need help with the following  ldap   issue , we are running
> > > 389-ds-base-1.3.7.5-24.el7_5.x86_64
> > >  
> > > -how to check if 389-DS  is cfg to be case sensitive?
> > > - how  to cfg the cn attribute  which is indexed in my DS   to be case sensitive ?
> > >         
> > Sorry, you can't (shouldn't).  "cn" is a standard attribute with a predefined syntax.  "cn" is used internally by the server for many things, and it is expected to be case insensitive.  Making it case-sensitive could break things in ways that would be very difficult to troubleshoot.  You should never attempt to modify the server's core schema.  Especially "cn" - just look at all the entries under cn=config...
> >       
> I completely agree with Mark here. You should probably define a new custom attribute instead that has the rules you need.
>

I also agree that changing a matching rule of a standard attribute is not a good idea.

In case you want to do SRCH with 'cn' being case sensitive you may use extensible syntax of the filter like:

# search with 'cn' using its default equality matching rule (case insensitive)
ldapsearch -LLL ... -b 'ou=people,dc=example,dc=com' '(cn=demo user)'
dn: uid=demo_user,ou=people,dc=example,dc=com
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
uid: demo_user
cn: Demo User
displayName: Demo User
legalName: Demo User Name
uidNumber: 99998
gidNumber: 99998
homeDirectory: /var/empty
loginShell: /bin/false

# search with 'cn' using exact MR and the exact case of the 'cn' value
ldapsearch -LLL -h localhost -p 38901 -D 'cn=Directory Manager' -w password -b 'ou=people,dc=example,dc=com' '(cn:caseExactMatch:=Demo User)'
dn: uid=demo_user,ou=people,dc=example,dc=com
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
uid: demo_user
cn: Demo User
displayName: Demo User
legalName: Demo User Name
uidNumber: 99998
gidNumber: 99998
homeDirectory: /var/empty
loginShell: /bin/false

# the same search with exact MR but with a assertion value that differs from attribute value
# returns no entry
ldapsearch -LLL...-b 'ou=people,dc=example,dc=com' '(cn:caseExactMatch:=demo user)'

Note that if you are willing to us extensible search with exact MR, it would also be good to index 'cn' with this MR (else you will trigger unindexed search).

regards
thierry

> > Regards,
> >
> > Mark
> >
> > > Thank you
> > > Isabella
> > >  
> > >
> > >
> > > _______________________________________________
> > > 389-users mailing list -- 
> > > 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > To unsubscribe send an email to 
> > > 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > Fedora Code of Conduct: 
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > >
> > > List Guidelines: 
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > >
> > > List Archives: 
> > > https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > Do not reply to spam on the list, report it: 
> > > https://pagure.io/fedora-infrastructure
> > >         
> > -- 
> >
> > 389 Directory Server Development Team
> >
> > _______________________________________________
> > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
> >       
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs, Australia
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>     
  

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure