MIME-Version: 1.0
In-Reply-To: <5490AE1C.6010004@stroeder.com>
References: <548DB67C.5060009@stroeder.com>
 <CAJb3uA7JW7aOVP2=HuOZ+_roCy8t0d07XgyR5cJNs1PU+V77kA@mail.gmail.com>
 <5490AE1C.6010004@stroeder.com>
From: Jim Willeke <jim@willeke.com>
Date: Wed, 17 Dec 2014 04:21:18 -0500
Message-ID: <CAB3ntOsZSCEzmmxzGCDAx_GRSVzNERPxbGAM=9UjmFbgqe18Mg@mail.gmail.com>
To: =?UTF-8?Q?Michael_Str=C3=B6der?= <michael@stroeder.com>
Content-Type: multipart/alternative; boundary=20cf30434866be452d050a6600b9
Archived-At: http://mailarchive.ietf.org/arch/msg/ldapext/dSVvWoLmxmIFpk7I3ttFuQgWcFo
Cc: ldapext <ldapext@ietf.org>
Subject: Re: [ldapext] why posixAccount MUST contain 'cn'?
Precedence: list

--20cf30434866be452d050a6600b9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Usually see only one value in GECOS.
Most of the ones we deal with are when we are doing conversions from NIS or
NIS+.

Sometimes it is used to hold the employeeNumber or something unique and
static to the organization.
Using multiple values which are derived from other LDAP attributes is more
difficult as some mechanism must be used to maintain the "duplicate" GECOS
value(s).

=E1=90=A7

--
-jim
Jim Willeke

On Tue, Dec 16, 2014 at 5:11 PM, Michael Str=C3=B6der <michael@stroeder.com=
>
wrote:
>
> Charlie,
>
> Charlie wrote:
> > Michael asked,  "Also what's the distinction of 'cn' and 'gecos' in
> > 'posixAccount'?  It seems most NSS LDAP clients use attribute 'cn' as
> > gecos field today."
>
> Ah, someone answers my original question! Thanks! :-)
>
> > Today the GECOS field is subfielded, holding multiple data items,
>
> Frankly I never saw more things like the user's full name put in the GECO=
S
> field or a short description for a demon's system account. My personal
> usage
> of finger is 17+ years ago.
>
> > I have never seen an LDAP implementation where GECOS and CN were
> > synonymous.
>
> Hmm, one can only have either LDAP attribute 'cn' or 'gecos' appearing as
> passwd's GECOS field.
>
> Anyway this is one more reason to question whether posixAccount (or a
> future
> object class serving the same purpose) should have 'cn' (or similar name
> attribute) as mandatory attribute.
>
> In one of my recent setups the NSS LDAP clients can't even read 'cn' or
> 'gecos'. So "getent passwd" will simply return an empty GECOS field. The
> system admins are supposed to use LDAP client to find out more about a
> user's
> account. Yes, it's a paranoid setup.
>
> Ciao, Michael.
>
>
> _______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www.ietf.org/mailman/listinfo/ldapext
>
>

--20cf30434866be452d050a6600b9
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Usually see only one value in GECOS.<div>Most of the ones =
we deal with are when we are doing conversions from NIS or NIS+.</div><div>=
<br><div>Sometimes it is used to hold the employeeNumber or something uniqu=
e and static to the organization.</div></div><div>Using multiple values whi=
ch are derived from other LDAP attributes is more difficult as some mechani=
sm must be used to maintain the &quot;duplicate&quot; GECOS value(s).</div>=
<div><br></div><div hspace=3D"streak-pt-mark" style=3D"max-height:1px"><img=
 style=3D"width:0px; max-height:0px;" src=3D"https://mailfoogae.appspot.com=
/t?sender=3DaamltQHdpbGxla2UuY29t&amp;type=3Dzerocontent&amp;guid=3Dda3f9f0=
2-e81d-4244-aefd-aa6563fb5b3c"><font color=3D"#ffffff" size=3D"1">=E1=90=A7=
</font></div></div><div class=3D"gmail_extra"><br clear=3D"all"><div><div c=
lass=3D"gmail_signature"><div><span style=3D"background-color:rgb(153,153,1=
53)">--</span></div><span style=3D"background-color:rgb(153,153,153)">-jim<=
br>Jim Willeke</span></div></div>
<br><div class=3D"gmail_quote">On Tue, Dec 16, 2014 at 5:11 PM, Michael Str=
=C3=B6der <span dir=3D"ltr">&lt;<a href=3D"mailto:michael@stroeder.com" tar=
get=3D"_blank">michael@stroeder.com</a>&gt;</span> wrote:<blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex">Charlie,<br>
<span class=3D""><br>
Charlie wrote:<br>
&gt; Michael asked,=C2=A0 &quot;Also what&#39;s the distinction of &#39;cn&=
#39; and &#39;gecos&#39; in<br>
&gt; &#39;posixAccount&#39;?=C2=A0 It seems most NSS LDAP clients use attri=
bute &#39;cn&#39; as<br>
&gt; gecos field today.&quot;<br>
<br>
</span>Ah, someone answers my original question! Thanks! :-)<br>
<span class=3D""><br>
&gt; Today the GECOS field is subfielded, holding multiple data items,<br>
<br>
</span>Frankly I never saw more things like the user&#39;s full name put in=
 the GECOS<br>
field or a short description for a demon&#39;s system account. My personal =
usage<br>
of finger is 17+ years ago.<br>
<span class=3D""><br>
&gt; I have never seen an LDAP implementation where GECOS and CN were<br>
&gt; synonymous.<br>
<br>
</span>Hmm, one can only have either LDAP attribute &#39;cn&#39; or &#39;ge=
cos&#39; appearing as<br>
passwd&#39;s GECOS field.<br>
<br>
Anyway this is one more reason to question whether posixAccount (or a futur=
e<br>
object class serving the same purpose) should have &#39;cn&#39; (or similar=
 name<br>
attribute) as mandatory attribute.<br>
<br>
In one of my recent setups the NSS LDAP clients can&#39;t even read &#39;cn=
&#39; or<br>
&#39;gecos&#39;. So &quot;getent passwd&quot; will simply return an empty G=
ECOS field. The<br>
system admins are supposed to use LDAP client to find out more about a user=
&#39;s<br>
account. Yes, it&#39;s a paranoid setup.<br>
<br>
Ciao, Michael.<br>
<br>
<br>_______________________________________________<br>
Ldapext mailing list<br>
<a href=3D"mailto:Ldapext@ietf.org">Ldapext@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/ldapext" target=3D"_blank"=
>https://www.ietf.org/mailman/listinfo/ldapext</a><br>
<br></blockquote></div></div>

--20cf30434866be452d050a6600b9--