Re: [ldapext] Case sensitivity of user/group names (was Re: DBIS commentary)

Charlie <medievalist@gmail.com> Thu, 03 December 2015 23:24 UTC

Return-Path: <medievalist@gmail.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64FC71A1A17 for <ldapext@ietfa.amsl.com>; Thu, 3 Dec 2015 15:24:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ne-0QsWx05-b for <ldapext@ietfa.amsl.com>; Thu, 3 Dec 2015 15:24:33 -0800 (PST)
Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C63F71A1A04 for <ldapext@ietf.org>; Thu, 3 Dec 2015 15:24:32 -0800 (PST)
Received: by lfaz4 with SMTP id z4so101292393lfa.0 for <ldapext@ietf.org>; Thu, 03 Dec 2015 15:24:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3ZwgWQG2NAdNOVBecbrm3OCjXbh2ggN3ZVW00fBx/Vw=; b=XFQSEYb8nrSvoLD5X0FDG7lgjlBF4CLa2bNs4TG5JZ7NNI7PJ3lFi48BQjPst11xBS t3Fwplke5Po6s/G4V1OKWAHGj/NN/XhKW092haA6rP2dN5K4Fo6sUIYC726lM2MejmNi pNF3/NOEnkhsJEoS8SvdeDhoESMv7oQkWZHwexn8HJ039V2fPa22MWqm/WP4HiiMgwiu ufebz9oBLWbOdROXBf7v1xRLpPNjcQP5K7mRZJYkuaN1v4m+9Oz6cTD1ihMp+5QXd3fU mrq0RpPVnzSJ34YlgskAvwIlQpkhPHGPUesIWzq6iB/wBn4Ehq0hLLisE9Mx7/RqBNrY ds2A==
MIME-Version: 1.0
X-Received: by 10.25.29.205 with SMTP id d196mr6740310lfd.81.1449185071031; Thu, 03 Dec 2015 15:24:31 -0800 (PST)
Received: by 10.114.80.193 with HTTP; Thu, 3 Dec 2015 15:24:30 -0800 (PST)
In-Reply-To: <5660C9ED.7040000@oracle.com>
References: <5655E4F0.7030809@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F618A3@OZWEX0209N1.msad.ms.com> <565CAC30.6010701@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F8EAFD@OZWEX0209N2.msad.ms.com> <565DDE78.5030908@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F8F30E@OZWEX0209N2.msad.ms.com> <565F1EB2.9060405@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F90F3A@OZWEX0209N2.msad.ms.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F90F6F@OZWEX0209N2.msad.ms.com> <56607926.1080306@oracle.com> <CAJb3uA4n+9LMj2gMYg_CA-YLechhnxk4mDsRQ2am+zeu-Veq1w@mail.gmail.com> <5660C9ED.7040000@oracle.com>
Date: Thu, 3 Dec 2015 18:24:30 -0500
Message-ID: <CAJb3uA7Dsazhw2oVhoDsANQoeADQipqUWmMQ4wzM-4V5M8Z3tA@mail.gmail.com>
From: Charlie <medievalist@gmail.com>
To: Jordan Brown <Jordan.Brown@oracle.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/4TRdjAIDviWag76J85njz7YUwDE>
Cc: "ldapext@ietf.org" <ldapext@ietf.org>
Subject: Re: [ldapext] Case sensitivity of user/group names (was Re: DBIS commentary)
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 23:24:34 -0000

On Thu, Dec 3, 2015 at 6:02 PM, Jordan Brown <Jordan.Brown@oracle.com> wrote:
> On 12/3/2015 2:45 PM, Charlie wrote:
>>
>> Well, in a cleanly integrated environment, I'd expect to see most
>> users' Microsoft SamAccountName and POSIX uid be identical lower-cased
>> strings less than 20 characters long.  I believe all currently
>> shipping LDAP directory implementations support the necessary schema.
>> Certainly AD and OpenLDAP both do.
>>
>> SamAccountName should be case-insensitive, uid should be
>> case-sensitive.
>
> If sAMAccountName and uid are identical, and sAMAccountName is
> case-insensitive, doesn't that mean that you can't have two users whose
> 'uid' differs only in case?

I think you missed the word "most"?   Normal user accounts being
created today would be unlikely to differ from each other only in
case.  Just old stuff and unique hacks.

> It would seem that the only visible effect of such a configuration is that
> an attempt to look up a wrong-case name on UNIX would fail, which is
> compatible in some sense but doesn't seem to really add any value over
> case-insensitivity.

I see compatibility with published standards and system documentation
as being vastly more valuable than catering to typing mistakes, but
obviously that's just my opinion.

More importantly, *nix tools and system utilities are going to make
case-sensitive comparisons of usernames internally, so if your name
service daemons aren't case-sensitive as well, *nix-based systems are
likely to be subtly broken.  Comparisons aren't restricted to the LDAP
service host, they happen on the local OS too - including in
site-developed code that was built to documented standards.

--Charlie