Re: [ldapext] Case sensitivity summary

Simo Sorce <simo@redhat.com> Fri, 04 December 2015 15:40 UTC

Return-Path: <simo@redhat.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A27131A8855 for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 07:40:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.611
X-Spam-Level:
X-Spam-Status: No, score=-6.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6dSF--0wm0F for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 07:40:13 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E12F01A87F1 for <ldapext@ietf.org>; Fri, 4 Dec 2015 07:40:12 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id 4FE478F28A; Fri, 4 Dec 2015 15:40:12 +0000 (UTC)
Received: from willson.usersys.redhat.com ([10.3.113.3]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tB4FeAOs006204 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 4 Dec 2015 10:40:11 -0500
Message-ID: <1449243610.3445.58.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Michael =?ISO-8859-1?Q?Str=F6der?= <michael@stroeder.com>
Date: Fri, 04 Dec 2015 10:40:10 -0500
In-Reply-To: <56619C8C.1010805@stroeder.com>
References: <20151204123810.GA8983@slab.skills-1st.co.uk> <56619C8C.1010805@stroeder.com>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/p8JFugEGb3GcqMm4JnSjgA6ouyE>
Cc: LDAP Extensions list <ldapext@ietf.org>, Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Subject: Re: [ldapext] Case sensitivity summary
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 15:40:18 -0000

On Fri, 2015-12-04 at 15:00 +0100, Michael Ströder wrote:
> Andrew Findlay wrote:
> > We are not going to define a standard that forces everyone to do everything
> > 'right' while providing interworking of differing systems. It is simply
> > not possible.
> 
> That perfectly summarizes this topic.
> Thanks Andrew, for this clear statement.
> 
> Let's keep the scope right.
> 
> > Overall I think we are heading for something like this:
> > 
> > 1)	Usernames and groupnames should have caseIgnoreMatch syntax
> > 
> > 2)	Usernames and groupnames should preferably be stored in lower-case in
> > 	cultures where that has meaning. Remember that LDAP is case-preserving
> > 	even for case-insensitive attributes.
> > 
> > 3)	Systems that are internally case-sensitive should take extra care
> > 	when using data from LDAP.
> > 
> > I know this conflicts with Mark's wish to be able to import existing
> > NIS data unchanged to cope with weird existing situations, but I see that 
> > as a special case that may be better handled in another way.
> 
> +1 !!!
> 
> (That's pretty much exactly what I planned to suggest.)
> 
> > Note that the above discussion *only* applies to usernames and groupnames.
> > Unix-specific mappings such as automount maps are a different issue.
> 
> automount maps are maybe a similar topic like generating 'homeDirectory' values
> for $HOME on case-sensitive file-systems based on user names.  For this
> RECOMMENDing that usernames are normalized to lower-case is really helpful.

This is exactly what we did in FreeIPA too, we automatically convert the
user name entered in lower case. We have no issues with "uncertain
rules" about casefolding because we restricted the valid charset to
Unicode and within unicode casfolding *to* lower case is not ambiguous
and part of the standard.
I think we further limit the interface to "Western charset" (read
printable ASCII chars), but that is a restriction we can and will relax
at some point.

> Regarding service names:
> 
> (Personally I never saw any customer LDAP deployment storing a services map.)
> 
> 1. Service names are used in DNS RRs (SRV, DANE, etc.) and those DNS labels are
> definitely supposed to be treated case-insensitive.

There are odd things in the wild, so you need to be at least
case-preserving, both for user names and services.

> 2. Jordan pointed out RFC 6335.
> 
> => I concur with Jordan: Service names MUST be treated case-insensitive.
> Probably recommending in an implementation note to normalize values to
> lower-case seems also to be a good idea.
> 
> => People actually using case-sensitive service names to address *different*
> services MUST clean up their local mess. But they likely have to do that anyway.

ACK, maintaining broken systems may seem the only way for some
organizations due to the daunting task and inter-dependencies that makes
a clean up really hard. I have personally witnessed herculean efforts to
migrate several hundreds diverged NIS domains into a single directory,
and it ain't pretty. Especially if you have terabytes of data and
numerous files with permissions to deal with. But the problem has always
mostly been on uidNumber and gidNumber consolidation, usually
name-mismatches have been mush easier to deal with because it is easy to
remap usernames locally.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York