[389-devel] DN normalisation design document

Noriko Hosoi nhosoi at redhat.com
Wed Mar 17 22:12:29 UTC 2010 

On 03/17/2010 01:13 PM, Andrey Ivanov wrote:
>
>>     In order to support "Old DN format including DN in the double
>>     quotes" another cn=config switch may be necessary. It seems there
>>     was recently a new switch introduced to make the dn syntax
>>     validation a little more "relaxed" - nsslapd-dn-validate-strict.
>>     Maybe this one could be used to allow for DNs with double-quoted
>>     values?
>     Actually, the way how we are going to handle the old style 'dn:
>     <type>="<nested dn>",<the rest>' is converting the old style to a
>     new style in the normalization when the server receives DNs from
>     clients and the converted new style DN is used in the rest of the
>     process.  The nsslapd-dn-validate-strict value is examined in the
>     DN syntax validation code for now.  Unless we change it, the DN
>     syntax validation code always receives the new DN style.
>
> Ok. What i wanted to say is that we should avoid any new config 
> parameters in cn=config. The way you propose to handle the problem is 
> the best one - it is completely transparent to the user, the server 
> back-end "sees" only the normalised DNs so it does not complain and no 
> additional configuration
> parameters are necessary.
>
>     That being said, are you suggesting if nsslapd-dn-validate-strict
>     is on, we should not convert an old style DN to a new style? 
>     That'd be really strict.  I'm leaning toward to the other side
>     accepting the both old and new style with no restriction.  Do you
>     see any disadvantages in allowing the old style?
>
> No, absolutely not, i agree completely with your reasoning. The code 
> should be strict but not completely rigid :) Taking care of the 
> "legacy" presentation in a transparent manner is the ideal solution.
>
>
Thanks so much for the confirmation, Andrey.  I'm working on the issue 
based on the design...
--noriko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-devel/attachments/20100317/966deacb/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6646 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-devel/attachments/20100317/966deacb/attachment.bin

More information about the 389-devel mailing list