Re: [ldapext] why posixAccount MUST contain 'cn'?

Charlie <> Tue, 16 December 2014 17:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 546E71A7026 for <>; Tue, 16 Dec 2014 09:50:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1
X-Spam-Level: *
X-Spam-Status: No, score=1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gpzGmWJU4sbw for <>; Tue, 16 Dec 2014 09:50:47 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c04::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9F2291A7023 for <>; Tue, 16 Dec 2014 09:50:46 -0800 (PST)
Received: by with SMTP id z11so11282856lbi.10 for <>; Tue, 16 Dec 2014 09:50:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=FdaFy4fQMUzyrv5JkjIpOglqF2ftaVpnvE7wvwkBtOs=; b=R4w3rF/o2FRJFjJDmTPLjg7mpLl4M7sM2x90gXbZbM0TIRnzlB3w1IrXGRH92vXe0g ufxyegHWwlH/gRETKym1Y9ZFFuBdhu9YuB7rQBfX+1z/MN0P5XhlyyrERfKa7W0SvU/R iLufoVP8IIPAVlNxrk7oTFDvA5pVYJVDE3naT4aIcXMhByRrDImk6n4/QlPiw5HhcBIn jLv8cznSyVUmhbSUHVYGvqeBhVVZ2JnUCLLrdr2Tvt4E/PXIGpMM0n1o0QbkIvB/CbB+ VEac9Qx8xhbKMoEvtFo1uq7FPRtqkZf3OlulxEtrdVd6jC4TRSzCn5VBLD/8aRFsb+iK pCOg==
MIME-Version: 1.0
X-Received: by with SMTP id f7mr37353399lam.30.1418752245048; Tue, 16 Dec 2014 09:50:45 -0800 (PST)
Received: by with HTTP; Tue, 16 Dec 2014 09:50:44 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Tue, 16 Dec 2014 12:50:44 -0500
Message-ID: <>
From: Charlie <>
To: =?UTF-8?Q?Michael_Str=C3=B6der?= <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: ldapext <>
Subject: Re: [ldapext] why posixAccount MUST contain 'cn'?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Dec 2014 17:50:48 -0000

Michael asked,  "Also what's the distinction of 'cn' and 'gecos' in
'posixAccount'?  It seems most NSS LDAP clients use attribute 'cn' as
gecos field today."

CN stands for Common Name.  GECOS stands for General Electric
Comprehensive Operating Supervisor.

The GECOS field in POSIX was created to hold non-unix attributes
required by the GE COS operating system, because Denis Ritchie and Ken
Thompson could not afford a printer, and had to print through a GCOS
system, which required user attributes Unix does not use.  Those
attributes were stuffed into the GECOS field.

Today the GECOS field is subfielded, holding multiple data items,
which might include the common name associated with the user of a
POSIX account, as well as things like office location, extension, and
home phone.  Tools like finger, chfn and adduser expect subfields
within the GECOS field, separated by commas.

I have never seen an LDAP implementation where GECOS and CN were
synonymous.  But the world's a big place, I guess!  When we create or
modify a user account, we maintain the same data in the appropriate
GECOS subfields as we do in attributes like l and homeTelephoneNumber.
This gives us broad compatibility across OSes and tools.

Sorry about the late answer...


On Sun, Dec 14, 2014 at 11:10 AM, Michael Ströder <> wrote:
> HI!
> Is there any strong reason why auxiliary object class 'posixAccount' has
> defined 'cn' as being a mandatory attribute?
> I'd be in favour of relaxing this to MAY cn in RFC2307bis.
> Also what's the distinction of 'cn' and 'gecos' in 'posixAccount'. It seems
> most NSS LDAP clients use attribute 'cn' as gecos field today.
> Ciao, Michael.
> _______________________________________________
> Ldapext mailing list