Re: [ldapext] Case sensitivity summary

Michael Ströder <> Fri, 04 December 2015 16:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 808021A8A57 for <>; Fri, 4 Dec 2015 08:59:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a13EgJT5pS-g for <>; Fri, 4 Dec 2015 08:59:08 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 58A3E1A8A4F for <>; Fri, 4 Dec 2015 08:59:08 -0800 (PST)
Received: from srv4.stroeder.local (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.stroeder.local", Issuer " Server CA no. 2009-07" (verified OK)) by (Postfix) with ESMTPS id 95C301CF66; Fri, 4 Dec 2015 16:59:06 +0000 (UTC)
Received: from nb2.stroeder.local (nb2.stroeder.local []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by srv4.stroeder.local (Postfix) with ESMTPS id B79AB1D29F; Fri, 4 Dec 2015 16:59:05 +0000 (UTC)
To: Simo Sorce <>
References: <> <> <>
From: Michael Ströder <>
X-Enigmail-Draft-Status: N1110
Message-ID: <>
Date: Fri, 04 Dec 2015 17:59:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030406040705020208020607"
Archived-At: <>
Cc: LDAP Extensions list <>
Subject: Re: [ldapext] Case sensitivity summary
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 16:59:10 -0000

Simo Sorce wrote:
> On Fri, 2015-12-04 at 15:00 +0100, Michael Ströder wrote:

>> Regarding service names:
>> (Personally I never saw any customer LDAP deployment storing a services map.)
>> 1. Service names are used in DNS RRs (SRV, DANE, etc.) and those DNS labels are
>> definitely supposed to be treated case-insensitive.
> There are odd things in the wild, so you need to be at least
> case-preserving, both for user names and services.

I concur with case-preserving.  But EQUALITY matching rule (which also enforces
uniqueness) should be case-insensitive.

>> 2. Jordan pointed out RFC 6335.
>> => I concur with Jordan: Service names MUST be treated case-insensitive.
>> Probably recommending in an implementation note to normalize values to
>> lower-case seems also to be a good idea.
>> => People actually using case-sensitive service names to address *different*
>> services MUST clean up their local mess. But they likely have to do that anyway.
> ACK, maintaining broken systems may seem the only way for some
> organizations due to the daunting task and inter-dependencies that makes
> a clean up really hard. I have personally witnessed herculean efforts to
> migrate several hundreds diverged NIS domains into a single directory,
> and it ain't pretty. Especially if you have terabytes of data and
> numerous files with permissions to deal with. But the problem has always
> mostly been on uidNumber and gidNumber consolidation, usually
> name-mismatches have been mush easier to deal with because it is easy to
> remap usernames locally.

In those cases I tend to recommend to simply keep different LDAP server deployments.

Ciao, Michael.