Re: [ldapext] why posixAccount MUST contain 'cn'?

Michael Ströder <> Tue, 16 December 2014 22:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 757681A8871 for <>; Tue, 16 Dec 2014 14:12:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.548
X-Spam-Status: No, score=0.548 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yUVFKeDxKfoB for <>; Tue, 16 Dec 2014 14:12:01 -0800 (PST)
Received: from ( [IPv6:2a01:238:20a:202:5300::8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E28071A87DE for <>; Tue, 16 Dec 2014 14:11:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1418767904; l=7498; s=domk;; h=Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From: Date; bh=zdLn7ElgLsjzXVUz7y7Mhq8dtgs=; b=J9pgSYXG7BKsI95nrB1J+TUV5ghIEiFahp1Bf2NkkPhsO5ifsGX9YoIvbVzVClRL76f OGfRZRU0rdRTf9TW39zUt7ro3u/jEtzmJW8ekgPOWWAKariTt/KEsAgjGn+fIxBzVrQt6 ZnYniIHGJx680UhDdG4tNFo/+XQeLDifbDs=
X-RZG-AUTH: :IWUHfUGtd9+vE/nIU31usF8LLMefsb7+CgbCKRTRv1L3o9ypgEohmN2qrwj+HA==
Received: from [] ( []) by (RZmta 36.3 DYNA|AUTH) with ESMTPSA id Y03b67qBGMBhycV (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "SuperAdmin", Issuer "Interims-CA" (verification FAILED - unable to verify the first certificate)) (Client hostname not verified); Tue, 16 Dec 2014 23:11:43 +0100 (CET)
Message-ID: <>
Date: Tue, 16 Dec 2014 23:11:40 +0100
From: =?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?= <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1
MIME-Version: 1.0
To: Charlie <>
References: <> <>
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms050500030301000001050600"
Cc: ldapext <>
Subject: Re: [ldapext] why posixAccount MUST contain 'cn'?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Dec 2014 22:12:03 -0000


Charlie wrote:
> Michael asked,  "Also what's the distinction of 'cn' and 'gecos' in
> 'posixAccount'?  It seems most NSS LDAP clients use attribute 'cn' as
> gecos field today."

Ah, someone answers my original question! Thanks! :-)

> Today the GECOS field is subfielded, holding multiple data items,

Frankly I never saw more things like the user's full name put in the GECOS
field or a short description for a demon's system account. My personal usage
of finger is 17+ years ago.

> I have never seen an LDAP implementation where GECOS and CN were
> synonymous.

Hmm, one can only have either LDAP attribute 'cn' or 'gecos' appearing as
passwd's GECOS field.

Anyway this is one more reason to question whether posixAccount (or a future
object class serving the same purpose) should have 'cn' (or similar name
attribute) as mandatory attribute.

In one of my recent setups the NSS LDAP clients can't even read 'cn' or
'gecos'. So "getent passwd" will simply return an empty GECOS field. The
system admins are supposed to use LDAP client to find out more about a user's
account. Yes, it's a paranoid setup.

Ciao, Michael.