Re: [ldapext] why posixAccount MUST contain 'cn'?

Michael Ströder <michael@stroeder.com> Thu, 18 December 2014 11:08 UTC

Return-Path: <michael@stroeder.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF6081A6FE9 for <ldapext@ietfa.amsl.com>; Thu, 18 Dec 2014 03:08:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.351
X-Spam-Level:
X-Spam-Status: No, score=-1.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slQBsCWfludF for <ldapext@ietfa.amsl.com>; Thu, 18 Dec 2014 03:08:10 -0800 (PST)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::6]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BF1A1A07BE for <ldapext@ietf.org>; Thu, 18 Dec 2014 03:08:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1418900887; l=6905; s=domk; d=stroeder.com; h=Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From: Date; bh=9A1Vbh+QxBSGiXQ4f0coUr+wpAg=; b=H/NKw/U0CFdZrzMOExttpCCEFyqEiPtZE41r0WzWbxfaUGDuMjgYM3BQC97uUAP2bON bcLJUYnwo4/tcmX05yhwzVM4UKp8mAJiPP1JZV/sq102QTa6AYp04nwjT1sI1J/2/cdOY etUSfLiHXgC+RFIS3Z4rYB1pkXxY1dm4f6E=
X-RZG-AUTH: :IWUHfUGtd9+vE/nIU31usF8LLMefsb7+CgbCKRTRv1L3o9ypgEohmQcL6rToJA==
X-RZG-CLASS-ID: mo00
Received: from [10.1.1.5] (p4FDB769C.dip0.t-ipconnect.de [79.219.118.156]) by smtp.strato.de (RZmta 36.3 DYNA|AUTH) with ESMTPSA id R00d25qBIB7iLtN (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate); Thu, 18 Dec 2014 12:07:44 +0100 (CET)
Message-ID: <5492B57C.1030402@stroeder.com>
Date: Thu, 18 Dec 2014 12:07:40 +0100
From: =?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?= <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1
MIME-Version: 1.0
To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>, Luke Howard <lukeh@padl.com>
References: <548DB67C.5060009@stroeder.com> <CAJb3uA7JW7aOVP2=HuOZ+_roCy8t0d07XgyR5cJNs1PU+V77kA@mail.gmail.com> <5490AE1C.6010004@stroeder.com> <CAB3ntOsZSCEzmmxzGCDAx_GRSVzNERPxbGAM=9UjmFbgqe18Mg@mail.gmail.com> <5BC3F036-F46E-4BF2-926A-96C2E98E6064@padl.com> <20141218095317.GF6326@slab.skills-1st.co.uk>
In-Reply-To: <20141218095317.GF6326@slab.skills-1st.co.uk>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070905010404040805040008"
Archived-At: http://mailarchive.ietf.org/arch/msg/ldapext/gJ00W_Fxufl7oUS2HwYtDAL18sM
Cc: Ldapext <ldapext@ietf.org>, Jim Willeke <jim@willeke.com>
Subject: Re: [ldapext] why posixAccount MUST contain 'cn'?
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Dec 2014 11:08:23 -0000

Andrew Findlay wrote:
> On Thu, Dec 18, 2014 at 11:43:03AM +1100, Luke Howard wrote:
> 
>> The only issue might be that some clients reject entries that are missing “cn”.
> 
> That would be an error in itself, as even mandatory attributes can be
> hidden by access control and the GECOS field is often empty in
> /etc/passwd entries so it is clearly not essential.

Yepp. That's the case with my paranoid setup where person's name must not be
disclosed to the attached systems. AFAICS the modern NSS clients can deal with
that.

Ciao, Michael.