I am curious; I understand that LDAP does not enforce case sensitivity for user names or passwords. However, I am wondering if there is a method to enforce such a policy on fedora-ds? I noticed the behavior earlier this week and it reminded me this behavior in LDAP. I am using a older version of fds, any chance the newer version addresses this? Tks
Scott Boggs wrote:> I am curious; I understand that LDAP does not enforce case sensitivity for > user names or passwords. > However, I am wondering if there is a method to enforce such a policy on > fedora-ds? I noticed the behavior earlier this week and it reminded me this > behavior in LDAP. I am using a older version of fds, any chance the newer > version addresses this?I would strongly recommend against doing this for user names (actually passwords are case sensitive). It''s impossible to make user names in email addresses case sensitive (it breaks various RFCs) so there is no reason to make user names at the system end, where any possible MTA/MDA might live, case sensitive. -- Del
Del <del <at> babel.com.au> writes:> > Scott Boggs wrote: > > I am curious; I understand that LDAP does not enforce case sensitivity for > > user names or passwords. > > However, I am wondering if there is a method to enforce such a policy on > > fedora-ds? I noticed the behavior earlier this week and it reminded me this > > behavior in LDAP. I am using a older version of fds, any chance the newer > > version addresses this? > > I would strongly recommend against doing this for user names (actually > passwords are case sensitive). It''s impossible to make user names in > email addresses case sensitive (it breaks various RFCs) so there is no > reason to make user names at the system end, where any possible MTA/MDA > might live, case sensitive. >I understand the reasons behind the case-sensitivity enforcement. However, I need to find a method to enforce case with the usernames. There will be no email interaction involved. Any suggestions? Thanks
Richard Megginson
2006-Feb-20 17:30 UTC
Re: [Fedora-directory-users] Re: Username Case Sensitivity
Scott Boggs wrote:>Del <del <at> babel.com.au> writes: > > > >>Scott Boggs wrote: >> >> >>>I am curious; I understand that LDAP does not enforce case sensitivity for >>>user names or passwords. >>>However, I am wondering if there is a method to enforce such a policy on >>>fedora-ds? I noticed the behavior earlier this week and it reminded me this >>>behavior in LDAP. I am using a older version of fds, any chance the newer >>>version addresses this? >>> >>>No, the newer version does not address this. Passwords are already case sensitive. As for user names, what attribute were you planning to use?>>I would strongly recommend against doing this for user names (actually >>passwords are case sensitive). It''s impossible to make user names in >>email addresses case sensitive (it breaks various RFCs) so there is no >>reason to make user names at the system end, where any possible MTA/MDA >>might live, case sensitive. >> >> >> > >I understand the reasons behind the case-sensitivity enforcement. However, I >need to find a method to enforce case with the usernames. There will be no >email interaction involved. Any suggestions? Thanks > >>-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Richard Megginson <rmeggins <at> redhat.com> writes:> > > Scott Boggs wrote: > > >Del <del <at> babel.com.au> writes: > > > > > >> No, the newer version does not address this. Passwords are already case > sensitive. As for user names, what attribute were you planning to use? >I am needing to force the usernames to all lowercase I was thinking that it related to this "OID: 1.3.6.1.4.1.1466.115.121.1.26" (IA5string syntax) am I off base?
Richard Megginson
2006-Feb-20 17:40 UTC
Re: [Fedora-directory-users] Re: Username Case Sensitivity
Scott Boggs wrote:>Richard Megginson <rmeggins <at> redhat.com> writes: > > > >>Scott Boggs wrote: >> >> >> >>>Del <del <at> babel.com.au> writes: >>> >>> >>> >>> >>> > > > >>No, the newer version does not address this. Passwords are already case >>sensitive. As for user names, what attribute were you planning to use? >> >> >> > > > >I am needing to force the usernames to all lowercase I was thinking that it >related to this "OID: 1.3.6.1.4.1.1466.115.121.1.26" (IA5string syntax) am I off >base? > >For what attribute?>-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Richard Megginson <rmeggins <at> redhat.com> writes:> > Scott Boggs wrote: > > >Richard Megginson <rmeggins <at> redhat.com> writes: > > > > > >> > > > > For what attribute? >I''m sorry the attirbute is "uid", my configuration is pretty much the same as installed.
Richard Megginson
2006-Feb-20 17:56 UTC
Re: [Fedora-directory-users] Re: Username Case Sensitivity
Scott Boggs wrote:>Richard Megginson <rmeggins <at> redhat.com> writes: > > > >>Scott Boggs wrote: >> >> >> >>>Richard Megginson <rmeggins <at> redhat.com> writes: >>> >>> >>> >>> >>> > > > > > >>> >>> >>> >>> >>For what attribute? >> >> >> > >I''m sorry the attirbute is "uid", my configuration is pretty much the same as >installed. > >Ok. I suppose you could change the syntax of that attribute, but that is strongly discouraged. What is your application that requires all lower case uids?> > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Jeff Clowser
2006-Feb-20 18:11 UTC
Re: [Fedora-directory-users] Re: Username Case Sensitivity
Scott Boggs wrote:>Del <del <at> babel.com.au> writes: > > > >>Scott Boggs wrote: >> >> >>>I am curious; I understand that LDAP does not enforce case sensitivity for >>>user names or passwords. >>>However, I am wondering if there is a method to enforce such a policy on >>>fedora-ds? I noticed the behavior earlier this week and it reminded me this >>>behavior in LDAP. I am using a older version of fds, any chance the newer >>>version addresses this? >>> >>> >>I would strongly recommend against doing this for user names (actually >>passwords are case sensitive). It''s impossible to make user names in >>email addresses case sensitive (it breaks various RFCs) so there is no >>reason to make user names at the system end, where any possible MTA/MDA >>might live, case sensitive. >> >> >> > >I understand the reasons behind the case-sensitivity enforcement. However, I >need to find a method to enforce case with the usernames. There will be no >email interaction involved. Any suggestions? Thanks > >Username (specifically, the uid attribute) is configured as case insensative in the server schema - i.e. the definition of the uid attribute defines it as case insensative. This is a schema configuration issue, not a code issue or option (i.e. not something that a new version of software will change). I believe the uid attribute is defined in 00core.ldif. You probably _could_ change the definition of the attribute to make it case sensative. However, as others here have said, I''d strongly recommend not doing this - it violates rfc''s, and any off-the-shelf apps you plan to integrate against your directory now or in the future may very well break in some way, possibly in unexpected ways or at unexpected times. I''d only do this if you are using this non-standard schema directory purely for internally developed apps, and only if you never plan to deploy/distribute that app outside your own organization, and even then, I''d still recommend against it for whoever inherits it from you some day in the future, or if you upgrade your directory and forget to make this modification next time around. However, if this is a purely internal app, you have full freedom to use whatever custom schema you want. Given that freedom though, I would recommend instead doing something like the following instead of modifying standard schema: 1. Create an "altuid" attribute (or whatever you want to call it) that is in the format you want - case sensative, etc. 2. Create a new objectclass, say inherited from objectclass inetorgperson. 3. Add altuid as an attribute of that objectclass. Use this objectclass when you define your users.>I am needing to force the usernames to all lowercase I was thinking that it >related to this "OID: 1.3.6.1.4.1.1466.115.121.1.26" (IA5string syntax) am I off >base? >Do you need usernames to be case sensative, or do you need them to be all lowercase? Very different thing - if you need them to be case sensative, you can do one of the things I mentioned above. If you need them to be strictly lower case, whatever you use to create users in the directory needs to validate usernames and only put in usernames that are lower case - i.e. create a custom web front end in php, perl, etc for managing users. When it creates new user entries, have that interface lowercase usernames before putting it in the uid attribute and creating the user entry. Can you expand a bit on what your application is or why it needs this? What about your application, environment, etc is driving a need for case sensative uid''s or lowercase uids. Is it an issue of syncing with another environment that has these requirements/format, etc? If we knew more about what is driving this need, we may be able to provide more useful advise or suggestions. - Jeff
> Ok. I suppose you could change the syntax of that attribute, but that > is strongly discouraged. What is your application that requires all > lower case uids? >Not really a application, but having to meet a site security policy. thank you.
Jeff Clowser <jclowser <at> unitedmessaging.com> writes:>Thank you, this is great information.
Jeff Clowser <jclowser <at> unitedmessaging.com> writes:> > > > > Do you need usernames to be case sensative, or do you need them to be > all lowercase? Very different thing - if you need them to be case > sensative, you can do one of the things I mentioned above. If you need > them to be strictly lower case, whatever you use to create users in the > directory needs to validate usernames and only put in usernames that are > lower case - i.e. create a custom web front end in php, perl, etc for > managing users. When it creates new user entries, have that interface > lowercase usernames before putting it in the uid attribute and creating > the user entry. > > Can you expand a bit on what your application is or why it needs this? > What about your application, environment, etc is driving a need for case > sensative uid''s or lowercase uids. Is it an issue of syncing with > another environment that has these requirements/format, etc? If we knew > more about what is driving this need, we may be able to provide more > useful advise or suggestions. > > - Jeff > >We have some internal security applications which have issues if a user logs in with incorrect case in their username. The site policy dictates the the usernames must all be lowercase, but if a user types it incorrectly an adds a uppercase instead of lowercase they have issues. I think a unique (non-standard) use of the attribute should do what I need. I will look at the 00core.ldif as you have suggested. thank you very much
Scott Boggs <sboggs <at> trustedcs.com> writes:> > > > Ok. I suppose you could change the syntax of that attribute, but that > > is strongly discouraged. What is your application that requires all > > lower case uids? > > > > Not really a application, but having to meet a site security policy. > > thank you. > >Thank you to everyone for helping me out with this (non-traditional) solution for my username case sensitivity issue. Following what Jeff outlined I am approaching my new oid for a new attribute ''altuid'' with the syntax for 2.5.13.5 (caseExactMatch) and 2.5.13.7 (caseExactSubstringMatch). Since these are standard matching rules will I have to define them in anyway for FDS to use them? and just to double check , would there be any reason I should not use these syntax definitions? Last thing I want to do is screw up my FDS. Thanks again for everyone''s time. To clarify, my FDS will not be interacting outside it''s private realm and not with any applications, so I am hoping this approach is viable for my FDS