Oracle Internet Directory OID - Distinguished Name DN

OID DN Distinguished Name and its case - Uppercase or Lowercase and spacing between attributes

A LDAP server like OID provides graphical as well as command line interface for an administrator to view, edit, search the Directory server for various operations. This post deals with following issues
(1) issue about  changing the case of the DN or Distinguished Name letters- viz from "User" to "user" as in for example,  cn=Users, dc=company, dc=com
(2) whether OID LDAP server is case insensitive for the Distinguished Names 
(3) whether space (whitespace) between the comma separated RDN (Here is reference to what is DN (Distinguished Name) and RDN (Relative Distinguished Name) ) matters 

(1) issue about  changing the case of the DN
In order to confirm whether the case in U or u i.e. Uppercase U and lowercase u matters, following was run on OID 11.1.1.6. The test case was to validate whether OID differentiates between
cn=Users, dc=company, dc=com
cn=users, dc=company, dc=com

The test case created one user with cn entry with Uppercase U and another user with cn entry with lowercase u
See results below with screenshots

--------------------------------------------------------------------------------------------------------------------------
Here is the original question posted in Oracle forum
Currently OID is using the below DN name but we have noticed there is a space in between Users and domain(cn=Users, dc=company). Now we would like to remove the space in between them also needs to update the Users from upper case 'U' to lower case 'u'. Please provide is there any command to update the same.

cn=Users, dc=company,dc=com    -->  cn=users,dc=company,dc=com
--------------------------------------------------------------------------------------------------------------------------


The case for Users vs users does not matter for OID when it lists the entries.
user3 was created with  cn=users (lowercase u  in users)
user1 was created with  cn=Users (uppercase U in Users)
Both above users were created under the same Directory Tree (only the cn entry for changed, lowercase u and uppercase U)

See below screenshot with user1




























See below screenshot for user3





























See below screenshot how the cn entry was manually entered as cn=users,... (lowercase) when creating user3.

















user3 was created with  cn=users (lowercase u  in users)
user1 was created with  cn=Users (uppercase U in Users)
See above Distinguised Name of the users, both are in the same DIT, but one shows with lowercase u and second one shows with Uppercase U.
Also see below screenshot for output of ldapsearch, for cn=users and second one for cn=Users, provided in the ldapsearch parameters. Both outputs are same, showing that ldapsearch treats them as same.

See above, when ldapsearch -b option is given cn=Users or cn=users, both give the same output.

However, note that since user3 was created with with cn=users (lowercase), it is reported by ldapsearch with lowercase (just for reporting or output purposes) See below screenshot.

(2) whether OID LDAP server is case insensitive for the Distinguished Names 
Example showing ldapsearch treats the DN values as case insensitive or the case does not matter. Below shows output of two ldapsearch, one is with cn=john and the other is with cn=JOHN. Both give the same output. This shows that OID treats the DN entries for john or JOHN as being same.
















Another confirmation that OID LDAP server treats the DN entry for john or JOHN as same - is by trying to create another user entry, this time for "john", since "JOHN" already existed. Result: OID did not allow the user entry for "john" to be created. Following was the error given by OID when this was attempted.










See above error when trying to create a new entry for user "john" (all lowercase). The entry for user "JOHN" already existed and OID disallowed the creation of this user with all lowercase letters. The LDAP error code 68 reported - Object already exists.

(3) whether space (whitespace) between the comma separated RDN (Here is reference to what is DN (Distinguished Name) and RDN (Relative Distinguished Name) ) matters
Now the issue regarding whitespace between each of the RDN members (in the screenshot below, several whitespaces have been put between cn=Users and dc=dsa).
With regards to spaces between cn=Users and dc entry, the ldapsearch command ignores the whitespaces. See below output with ldapsearch where I have provided lots of whitespace between cn=users entry and dc=  entry. The output of the command has clearly ignored extra whitespaces.

In summary, you should be fine with whitespaces between cn=Users,   and dc= entry.
Distinguished Name Case Sensitivity is dependent on the LDAP Server Implementation and the LDAP Protocol Exchange you are performing. During a bind Request, the Distinguished Name SHOULD NOT be case sensitive regardless of the makeup of the attributes (RDNs) within the Distinguished Name.
However, to be sure test your LDAP server by running these tests as provided above to confirm that your LDAP server is indeed case insensitive or is NOT case sensitive.



Comments

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Image
Recently we got a OVA file for a virtual machine. The vendor instructions were to import the ova file in vmware Workstation, Player for Windows/Linux, Fusion for Mac, and VirtualBox as well.  The instructions were to take the available package and launch the VM with VMware workstation. The package contained  Module.mf, Module.ovf and Module-disk.vmdk and a Module.ova file. The .mf and .ovf file were 2 KB each whereas the vmdk was several gigs. The package also contained a Module.ova file which was several gigs as well. OVF           Open Virtualization Format MF             Manifest file VMDK       Virtual Machine Disk OVA           Open Virtualization Appliance The ovf file is a xml file that contains metadata for the ovf package The mf file contains the SHA1 hash codes of all files in the package The vmdk file is the disk image of the virtual machine,  VMware Workstation or VirtualBox. (vmdk format was originally developed by VMware and is an open format now). All of
Read more

SOAPUI - import certificate

Image
Note: SoapUI has two versions, one is open source and second Professional version. The open source can be download here . (confirmed link 12/19/2018). SSL Handshake issue:   There is an Issue in SoapUI version 5.3.0 (and 5.2.0 version) with SSL handshake error. It was resolved by updating below in vmoptions file ( refer here ). However, the error that shows up while trying to load wsdl is "Error loading WSDL" as below The fix is to Enable TLS 1.2 protocol for SOAP/REST calls in SoapUI, by ammending the vmoptions file to add the directive for TLS as (-Dsoapui.https.protocols=TLSv1.2). Refer here . Update: Version 5.5.0 does not have this issue. If you are on 5.3.0 better upgrade to 5.5.0 which is available now (Feb 2019). I had above issue as well as another issue reaching to https endpoint. Upgrade to 5.5.0 resolved issue. Select "Check for updates" under the Help menu and you will get option for upgrade. Select upgrade current version and accept all defaul
Read more

Centrally Managed Users (CMU) - New Feature in Oracle Database 18c

Image
Centrally Managed Users (CMU) Centrally Managed Users or CMU is a new feature introduced since Oracle DB 18c which allows simplified database user management through integration with Microsoft Active Directory (AD). Beginning with Oracle Database release 18c, version 18.1 and later supports direct integration with Microsoft Active Directory (AD) using the new centrally managed users capability. CMU allows the Oracle database to perform user authentication and authorization directly against AD. Benefits of CMU With centrally managed users, users accessing the database can be centrally managed to improve an organization's security posture. An enterprise user (a user in Microsoft Active Directory) can be exclusively mapped to a database account, or many enterprise users (in an Microsoft Active Directory group) can be mapped to a shared account in the database. Microsoft Active Directory groups can also be mapped to a database global role, which provides users with additional privilege
Read more