Re: DBIS - new IETF drafts
Mark R Bannister <dbis <at> proseconsulting.co.uk>
2014-01-10 14:13:15 GMT
On 09/01/2014 18:03, Simo wrote:
> On Thu, 2014-01-09 at 16:48 +0100, Michael Ströder wrote:
>> Mark R Bannister wrote:
>>> Yes as you'll see from my recent reply to Simo, the case sensitivity issue was
>>> one of the problems I faced at a large installation,
>> This could be easily solved with RFC2307bis. Or not?
>> In my deployments I simply define additional (OpenLDAP) constraints for those
>> attributes (e.g. to enforce lower-case 'uid' values).
>> IMHO only re-defining the matching rules does not fully solve the case problem
>> anyway. Restricting to lower-case attribute values helps better.
> I'd go beyond this, supporting case-sensitive user names is actively
> harmful for various reasons.
UNIX is traditionally case sensitive. I am currently working at a large
installation where there is an important distinction between lower-case
and upper-case user names. This debate isn't just about user names
anyway. There are loads of NIS fields that were case sensitive, and
UNIX isn't going to change. They will always be case sensitive. So
trying to represent them in case insensitive fields is just, well, wrong.
> - Assuming users (and admins) should be able to distinguish based on
> case is wrong, we naturally consider the strings 'Admin' and 'admin' to
> be the same thing.
If you're used to Microsoft Windows, yes. DBIS is not aimed at Microsoft.
> - Some systems are case-preserving (meaning they'll show you back the
> same case you entered, but are really case-insensitive and if you have
> to interoperate with them you cannot assume Admin and amdin to be
> different users, it could lead to serious security issues.
> - If we are in the legacy game, there are still systems that will simply
> accept only all caps names, like ADMIN. In these cases what do you map
> that to ? Admin ? admin? a third user called ADMIN ?
> And there are many other examples where really being case sensitive
> causes a lot more problem than it resolves.
> Due to these problems what we did in FreeIPA is to always create users
> in lower case and explicitly state we are case-preserving and
> insensitive. It is the only reasonable compromise IMHO.
NIS, RFC2307, RFC2307bis and DBIS are for UNIX. UNIX is case
sensitive. It makes no sense to store data in a case insensitive
fashion if the client expects it to be case sensitive. Data loss or
corruption will occur this way.
Ldapext mailing list
Ldapext <at> ietf.org