I used another thread to discuss forcing the schema to adhear to caseSensitivity. As pointed out by the responses from many of the FDS vets out there, breaking the RFC would be bad. I am looking for another solution to enforcing exact matches for my users during the login process (non-case specific). This is strictly to support site security policy and not a result of any application integration. To stay in compliance with RFC standards and to save myself headaches down the road, I need to know if I can change the syntax for the attribute ''uid'' to follow something like distinguishedNameMatch for attribute type specification or is there another method to match uid exactly (i.e uid=Test where "Test" not "test" must be used to login). Would applying the schema in this manner violate any RFC standards? Again I am simply trying to enforce a exact character input during login and not trying to change LDAP to enforce any form of case matching. Thanks for all the help on this question.
Scott Boggs <sboggs <at> trustedcs.com> writes:>To stay in compliance with RFC standards and to save myself headaches down the> road, I need to know if I can change the syntax for the attribute ''uid'' to >follow something like distinguishedNameMatch for attribute type specification or> is there another method to match uid exactly(i.e uid=Test where "Test" not> "test" must be used to login).I suppose another approach might be a plugin, anyone have any background on any existing plugins that would meet the goal of enforcing exact character input for login? thanks again for all the trouble.
I think you should be able to just change the syntax for ''uid'' to case sensitive. Of course that might break something somewhere. e.g. the console/admin server may have made assumptions about uid being case insensitive. As for not complying with the RFCs that''s really not a big concern since you actually _want_ your usernames to be case sensitive.
Scott Boggs <sboggs <at> trustedcs.com> writes: Would a possible solution to enforce case sensitivity at user login be to use the Case Exact String Syntax Plug-in that is listed in administrators guide? Anyone ever done so? Tks again
Richard Megginson
2006-Feb-22 21:28 UTC
Re: [Fedora-directory-users] Re: Extending the Schema
Scott Boggs wrote:>Scott Boggs <sboggs <at> trustedcs.com> writes: > >Would a possible solution to enforce case sensitivity at user login >be to use the Case Exact String Syntax Plug-in >that is listed in administrators guide? > >The syntax plug-ins do not enforce their particular syntax in the sense of rejecting attribute values that do not match their specified syntax. They merely provide comparison, collation, and index key generation.>Anyone ever done so? >Tks again > > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Richard Megginson wrote:> Scott Boggs wrote: > >> Scott Boggs <sboggs <at> trustedcs.com> writes: >> >> Would a possible solution to enforce case sensitivity at user login >> be to use the Case Exact String Syntax Plug-in that is listed in >> administrators guide? >> > The syntax plug-ins do not enforce their particular syntax in the > sense of rejecting attribute values that do not match their specified > syntax. They merely provide comparison, collation, and index key > generation.But any client that is authenticating on behalf of users should see the ''correct'' behavior, no ? For example if a search for ''uid=Foo'' were done, it would not match an entry with uid=foo.
Richard Megginson
2006-Feb-22 21:47 UTC
Re: [Fedora-directory-users] Re: Extending the Schema
David Boreham wrote:> Richard Megginson wrote: > >> Scott Boggs wrote: >> >>> Scott Boggs <sboggs <at> trustedcs.com> writes: >>> >>> Would a possible solution to enforce case sensitivity at user login >>> be to use the Case Exact String Syntax Plug-in that is listed in >>> administrators guide? >> >> The syntax plug-ins do not enforce their particular syntax in the >> sense of rejecting attribute values that do not match their specified >> syntax. They merely provide comparison, collation, and index key >> generation. > > > But any client that is authenticating on behalf of users should see the > ''correct'' behavior, no ? For example if a search for ''uid=Foo'' were > done, it would not match an entry with uid=foo.Right. But that''s controlled by the syntax setting for the attribute in the schema. Basically, when you tell the schema to use syntax OID x.y.z, that x.y.z corresponds to a particular syntax plugin.> > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users