Home

Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Case insensitive attributes in eDir, why and howto change?

  1. #1
    Join Date
    Dec 2014
    Posts
    50

    Case insensitive attributes in eDir, why and howto change?


    We have a NetIQ IDM SOAP driver (publisher only) in place and recently
    we have discovered discrepancies between our HRM source and eDir.
    Eg.: in the source the Given Name is 'John', in eDir it's 'john'. I have
    looked at the eDir schema and Given Name is a Case Ignore String. Why is
    in eDir the Given Name (and Surname etc.etc.) case insensitive? I
    clearly don't want that. Can I change it to case sensitive? In my
    example, there must have been a SOAP message at some point that should
    have changed 'john' into 'John' but alas...


    --
    joer999
    ------------------------------------------------------------------------
    joer999's Profile: https://forums.netiq.com/member.php?userid=6162
    View this thread: https://forums.netiq.com/showthread.php?t=54930


  2. #2

    Re: Case insensitive attributes in eDir, why and howto change?

    On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:

    > We have a NetIQ IDM SOAP driver (publisher only) in place and recently
    > we have discovered discrepancies between our HRM source and eDir. Eg.:
    > in the source the Given Name is 'John', in eDir it's 'john'. I have
    > looked at the eDir schema and Given Name is a Case Ignore String. Why is
    > in eDir the Given Name (and Surname etc.etc.) case insensitive?


    Many attributes are Case Ignore, and have been since the original NDS
    schema was published.


    > I
    > clearly don't want that. Can I change it to case sensitive?


    In theory? Yes. I haven't tried to do so, but an LDIF modification to the
    schema should work. I've done other modifications to the base schema in
    the past, just not this one.

    See, for example, TID #7008201

    https://www.novell.com/support/kb/doc.php?id=7008201


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Knowledge Partner http://forums.microfocus.com

    Please post questions in the forums. No support provided via email.
    If you find this post helpful, please click on the star below.

  3. #3

    Re: Case insensitive attributes in eDir, why and howto change?

    On 12/15/2015 08:00 AM, David Gersic wrote:
    > On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:
    >
    >> We have a NetIQ IDM SOAP driver (publisher only) in place and recently
    >> we have discovered discrepancies between our HRM source and eDir. Eg.:
    >> in the source the Given Name is 'John', in eDir it's 'john'. I have
    >> looked at the eDir schema and Given Name is a Case Ignore String. Why is
    >> in eDir the Given Name (and Surname etc.etc.) case insensitive?

    >
    > Many attributes are Case Ignore, and have been since the original NDS
    > schema was published.


    Beyond that, this is by RFC spec, so if you check the LDAP specs this is
    normal and desirable. Why? Have you ever tried to lookup a user by name
    and had to get the case exact for a match to be found? For example: go to
    a whitepage application, search for 'AARON' and not find 'Aaron' or
    'aaron' or anything like that? That would be terrible; directories are
    designed to have a lot of things case-ignore (not case-insensitive) on
    matches for this very reason. Case-insensitive means there is no case at
    all, where case-ignore means the case is there, but matching is done
    case-insensitively so you can match regardless of case.

    >> clearly don't want that. Can I change it to case sensitive?


    Only if you do not plan on ever matching on the data; chances are very
    good you do want this. Changing case-only can be done by removing and
    re-adding the value.

    Alternatively: have your HR folks not typo stuff. :-)

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  4. #4

    Re: Case insensitive attributes in eDir, why and howto change?

    On Tue, 15 Dec 2015 15:29:37 +0000, ab wrote:

    > On 12/15/2015 08:00 AM, David Gersic wrote:
    >> On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:
    >>
    >>> We have a NetIQ IDM SOAP driver (publisher only) in place and recently
    >>> we have discovered discrepancies between our HRM source and eDir. Eg.:
    >>> in the source the Given Name is 'John', in eDir it's 'john'. I have
    >>> looked at the eDir schema and Given Name is a Case Ignore String. Why
    >>> is in eDir the Given Name (and Surname etc.etc.) case insensitive?

    >>
    >> Many attributes are Case Ignore, and have been since the original NDS
    >> schema was published.

    >
    > Beyond that, this is by RFC spec, so if you check the LDAP specs this is
    > normal and desirable. Why? Have you ever tried to lookup a user by
    > name and had to get the case exact for a match to be found? For
    > example: go to a whitepage application, search for 'AARON' and not find
    > 'Aaron' or 'aaron' or anything like that? That would be terrible;
    > directories are designed to have a lot of things case-ignore (not
    > case-insensitive) on matches for this very reason. Case-insensitive
    > means there is no case at all, where case-ignore means the case is
    > there, but matching is done case-insensitively so you can match
    > regardless of case.


    Agreed, but from an IDM perspective, which is where this question
    originates, C_I_String is problematic, because the engine does exactly
    that and then assumes that 'Aaron' is the same as 'aaron', annoying the
    end users who want their names to be spelled and typed correctly.


    >>> clearly don't want that. Can I change it to case sensitive?

    >
    > Only if you do not plan on ever matching on the data; chances are very
    > good you do want this. Changing case-only can be done by removing and
    > re-adding the value.
    >
    > Alternatively: have your HR folks not typo stuff. :-)


    If you want to bring this discussion over to the idm.engine-drivers
    forum, we can help you change the driver policies to handle this
    situation, without needing to hack the schema.


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Knowledge Partner http://forums.microfocus.com

    Please post questions in the forums. No support provided via email.
    If you find this post helpful, please click on the star below.

  5. #5
    Join Date
    Dec 2014
    Posts
    50

    Re: Case insensitive attributes in eDir, why and howto change?


    dgersic;263392 Wrote:
    > On Tue, 15 Dec 2015 15:29:37 +0000, ab wrote:
    >
    > > On 12/15/2015 08:00 AM, David Gersic wrote:
    > >> On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:
    > >>
    > >>> We have a NetIQ IDM SOAP driver (publisher only) in place and

    > recently
    > >>> we have discovered discrepancies between our HRM source and eDir.

    > Eg.:
    > >>> in the source the Given Name is 'John', in eDir it's 'john'. I have
    > >>> looked at the eDir schema and Given Name is a Case Ignore String.

    > Why
    > >>> is in eDir the Given Name (and Surname etc.etc.) case insensitive?
    > >>
    > >> Many attributes are Case Ignore, and have been since the original

    > NDS
    > >> schema was published.

    > >
    > > Beyond that, this is by RFC spec, so if you check the LDAP specs this

    > is
    > > normal and desirable. Why? Have you ever tried to lookup a user by
    > > name and had to get the case exact for a match to be found? For
    > > example: go to a whitepage application, search for 'AARON' and not

    > find
    > > 'Aaron' or 'aaron' or anything like that? That would be terrible;
    > > directories are designed to have a lot of things case-ignore (not
    > > case-insensitive) on matches for this very reason. Case-insensitive
    > > means there is no case at all, where case-ignore means the case is
    > > there, but matching is done case-insensitively so you can match
    > > regardless of case.

    >
    > Agreed, but from an IDM perspective, which is where this question
    > originates, C_I_String is problematic, because the engine does exactly
    > that and then assumes that 'Aaron' is the same as 'aaron', annoying the
    > end users who want their names to be spelled and typed correctly.
    >
    >
    > >>> clearly don't want that. Can I change it to case sensitive?

    > >
    > > Only if you do not plan on ever matching on the data; chances are

    > very
    > > good you do want this. Changing case-only can be done by removing

    > and
    > > re-adding the value.
    > >
    > > Alternatively: have your HR folks not typo stuff. :-)

    >
    > If you want to bring this discussion over to the idm.engine-drivers
    > forum, we can help you change the driver policies to handle this
    > situation, without needing to hack the schema.
    >
    >
    > --
    > --------------------------------------------------------------------------
    > David Gersic
    > dgersic_@_niu.edu
    > Knowledge Partner
    > http://forums.microfocus.com
    >
    > Please post questions in the forums. No support provided via
    > email.
    > If you find this post helpful, please click on the star below.

    Yes, eDir is our source for MAD en Blackboard (eLearning) and people
    find it annoying that (a part of) their name has the wrong case in for
    instance the Outlook Address Lists.
    First I will try your link and ldif suggestion to change the properties
    of the attributes (in a testing environment of course). Maybe I will
    start a thread in the IDM forum but hopefully I will be able to think of
    something by myself, policy and dirxml way.


    --
    joer999
    ------------------------------------------------------------------------
    joer999's Profile: https://forums.netiq.com/member.php?userid=6162
    View this thread: https://forums.netiq.com/showthread.php?t=54930


  6. #6
    Join Date
    Dec 2014
    Posts
    50

    Re: Case insensitive attributes in eDir, why and howto change?


    ab;263388 Wrote:
    > On 12/15/2015 08:00 AM, David Gersic wrote:
    > > On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:
    > >
    > >> We have a NetIQ IDM SOAP driver (publisher only) in place and

    > recently
    > >> we have discovered discrepancies between our HRM source and eDir.

    > Eg.:
    > >> in the source the Given Name is 'John', in eDir it's 'john'. I have
    > >> looked at the eDir schema and Given Name is a Case Ignore String. Why

    > is
    > >> in eDir the Given Name (and Surname etc.etc.) case insensitive?

    > >
    > > Many attributes are Case Ignore, and have been since the original NDS
    > > schema was published.

    >
    > Beyond that, this is by RFC spec, so if you check the LDAP specs this
    > is
    > normal and desirable. Why? Have you ever tried to lookup a user by
    > name
    > and had to get the case exact for a match to be found? For example: go
    > to
    > a whitepage application, search for 'AARON' and not find 'Aaron' or
    > 'aaron' or anything like that? That would be terrible; directories are
    > designed to have a lot of things case-ignore (not case-insensitive) on
    > matches for this very reason. Case-insensitive means there is no case
    > at
    > all, where case-ignore means the case is there, but matching is done
    > case-insensitively so you can match regardless of case.
    >
    > >> clearly don't want that. Can I change it to case sensitive?

    >
    > Only if you do not plan on ever matching on the data; chances are very
    > good you do want this. Changing case-only can be done by removing and
    > re-adding the value.
    >
    > Alternatively: have your HR folks not typo stuff. :-)
    >
    > --
    > Good luck.
    >
    > If you find this post helpful and are logged into the web interface,
    > show your appreciation and click on the star below...

    When I change in MAD a Given Name form 'john' to 'John' then, contrary
    to eDir, the new name is stored. When I search in AD on 'john' then all
    the John's en john's pop up.
    I am not sure I follow your case-insensitive-case-ignore bit. Given Name
    is Case Ignore String in eDir so the case is there but not used for
    matching. In that case, shouldn't eDir accept the same value but in a
    different case as a new value for Given Name?
    Anyway, in my opinion eDir should behave the same as MAD in this
    respect: matching is done case-ignore by default but updating an
    attribute is case-sensitive + attributes case-sensitive by default.


    --
    joer999
    ------------------------------------------------------------------------
    joer999's Profile: https://forums.netiq.com/member.php?userid=6162
    View this thread: https://forums.netiq.com/showthread.php?t=54930


  7. #7

    Re: Case insensitive attributes in eDir, why and howto change?

    On Wed, 16 Dec 2015 08:26:49 +0000, joer999 wrote:

    > When I change in MAD a Given Name form 'john' to 'John' then, contrary
    > to eDir, the new name is stored. When I search in AD on 'john' then all
    > the John's en john's pop up.
    > I am not sure I follow your case-insensitive-case-ignore bit. Given Name
    > is Case Ignore String in eDir so the case is there but not used for
    > matching. In that case, shouldn't eDir accept the same value but in a
    > different case as a new value for Given Name? Anyway, in my opinion eDir
    > should behave the same as MAD in this respect: matching is done
    > case-ignore by default but updating an attribute is case-sensitive +
    > attributes case-sensitive by default.


    eDirectory stores and preserves whatever case you give it. Your problem
    isn't eDirectory.

    The IDM engine attempts to minimize changes (writes) by checking to see
    if the change even needs to be made before making it, because eDirectory
    is faster at reads/compares than at writes.

    Come over to idm.engine-drivers and we'll fix you up there.


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Knowledge Partner http://forums.microfocus.com

    Please post questions in the forums. No support provided via email.
    If you find this post helpful, please click on the star below.

  8. #8
    Join Date
    Dec 2014
    Posts
    50

    Re: Case insensitive attributes in eDir, why and howto change?


    dgersic;263442 Wrote:
    > On Wed, 16 Dec 2015 08:26:49 +0000, joer999 wrote:
    >
    > > When I change in MAD a Given Name form 'john' to 'John' then, contrary
    > > to eDir, the new name is stored. When I search in AD on 'john' then

    > all
    > > the John's en john's pop up.
    > > I am not sure I follow your case-insensitive-case-ignore bit. Given

    > Name
    > > is Case Ignore String in eDir so the case is there but not used for
    > > matching. In that case, shouldn't eDir accept the same value but in a
    > > different case as a new value for Given Name? Anyway, in my opinion

    > eDir
    > > should behave the same as MAD in this respect: matching is done
    > > case-ignore by default but updating an attribute is case-sensitive +
    > > attributes case-sensitive by default.

    >
    > eDirectory stores and preserves whatever case you give it. Your problem
    > isn't eDirectory.

    For sure I'm being pig-headed but... When in iManager I go to an account
    in the eDir tree and manually change the Given Name from 'John' to
    'john', the latter is not stored.
    > The IDM engine attempts to minimize changes (writes) by checking to see
    > if the change even needs to be made before making it, because eDirectory
    > is faster at reads/compares than at writes.

    I understand but to be honest I hate that. When I tell IDM or eDir to do
    something, e.g. replace a value, I just want it to do that and not to
    start thinking for itself. And in my opinion it's all a bit redundant
    nowadays with those highly scalable VM's.
    > Come over to idm.engine-drivers and we'll fix you up there.

    Thank you. Maybe later on. I'm allmost there with my schema update. Case
    Exact String = 1.3.6.1.4.1.1466.115.121.1.26. I want to see if it's
    possible and what the results are but I don't think it's the way to go
    because changing the definition of a default attribute will probably
    lead to other problems.


    --
    joer999
    ------------------------------------------------------------------------
    joer999's Profile: https://forums.netiq.com/member.php?userid=6162
    View this thread: https://forums.netiq.com/showthread.php?t=54930


  9. #9
    Join Date
    Dec 2014
    Posts
    50

    Re: Case insensitive attributes in eDir, why and howto change?


    dgersic;263385 Wrote:
    > On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:
    >
    > > We have a NetIQ IDM SOAP driver (publisher only) in place and recently
    > > we have discovered discrepancies between our HRM source and eDir. Eg.:
    > > in the source the Given Name is 'John', in eDir it's 'john'. I have
    > > looked at the eDir schema and Given Name is a Case Ignore String. Why

    > is
    > > in eDir the Given Name (and Surname etc.etc.) case insensitive?

    >
    > Many attributes are Case Ignore, and have been since the original NDS
    > schema was published.
    >
    >
    > > I
    > > clearly don't want that. Can I change it to case sensitive?

    >
    > In theory? Yes. I haven't tried to do so, but an LDIF modification to
    > the
    > schema should work. I've done other modifications to the base schema in
    > the past, just not this one.
    >
    > See, for example, TID #7008201
    >
    > https://www.novell.com/support/kb/doc.php?id=7008201
    >
    >
    > --
    > --------------------------------------------------------------------------
    > David Gersic dgersic_@_niu.edu
    > Knowledge Partner http://forums.microfocus.com
    >
    > Please post questions in the forums. No support provided via email.
    > If you find this post helpful, please click on the star below.

    Error.
    Trying to change givenName from Case Ignore String to Case Exact String.
    Ldapmodify (OpenLDAP) gives me "ldap_modify: No such object (32)
    additional info: NDS error: no such entry (-601)" on this ldif:
    > dn: cn=schema,cn=config
    > changetype: modify
    > delete: attributetypes
    > attributeTypes: attributeTypes: (2.5.4.42)
    > -
    > add: attributetypes
    > attributeTypes: (2.5.4.42 NAME 'givenName' SYNTAX
    > 1.3.6.1.4.1.1466.115.121.1.26{32} X-NDS_NAME 'Given Name'
    > X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '32' X-NDS_PUBLIC_READ '1'
    > X-NDS_NONREMOVABLE '1')
    >

    I connect as Admin. Am I doing something wrong or is a modify of this
    type not permitted but with a vague error message?


    --
    joer999
    ------------------------------------------------------------------------
    joer999's Profile: https://forums.netiq.com/member.php?userid=6162
    View this thread: https://forums.netiq.com/showthread.php?t=54930


  10. #10

    Re: Case insensitive attributes in eDir, why and howto change?

    On Thu, 17 Dec 2015 11:14:02 +0000, joer999 wrote:


    > Trying to change givenName from Case Ignore String to Case Exact String.


    I did something similar once with:

    Code:
    dn: cn=schema
    changetype: modify
    delete: attributeTypes
    attributeTypes: ( 2.16.840.1.113719.1.33.4.7 NAME 'nrfLocalizedNames'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64512} SINGLE-VALUE
    X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1' )
    -
    add: attributeTypes
    attributeTypes: ( 2.16.840.1.113719.1.33.4.7 NAME 'nrfLocalizedNames'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64512} SINGLE-VALUE
    X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1' )

    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Knowledge Partner http://forums.microfocus.com

    Please post questions in the forums. No support provided via email.
    If you find this post helpful, please click on the star below.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •