joer999 Absent Member.
Absent Member.
1201 views

Case insensitive attributes in eDir, why and howto change?


We have a NetIQ IDM SOAP driver (publisher only) in place and recently
we have discovered discrepancies between our HRM source and eDir.
Eg.: in the source the Given Name is 'John', in eDir it's 'john'. I have
looked at the eDir schema and Given Name is a Case Ignore String. Why is
in eDir the Given Name (and Surname etc.etc.) case insensitive? I
clearly don't want that. Can I change it to case sensitive? In my
example, there must have been a SOAP message at some point that should
have changed 'john' into 'John' but alas...


--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=54930

Labels (1)
0 Likes
10 Replies
Knowledge Partner
Knowledge Partner

Re: Case insensitive attributes in eDir, why and howto change?

On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:

> We have a NetIQ IDM SOAP driver (publisher only) in place and recently
> we have discovered discrepancies between our HRM source and eDir. Eg.:
> in the source the Given Name is 'John', in eDir it's 'john'. I have
> looked at the eDir schema and Given Name is a Case Ignore String. Why is
> in eDir the Given Name (and Surname etc.etc.) case insensitive?


Many attributes are Case Ignore, and have been since the original NDS
schema was published.


> I
> clearly don't want that. Can I change it to case sensitive?


In theory? Yes. I haven't tried to do so, but an LDIF modification to the
schema should work. I've done other modifications to the base schema in
the past, just not this one.

See, for example, TID #7008201

https://www.novell.com/support/kb/doc.php?id=7008201


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Case insensitive attributes in eDir, why and howto change?

On 12/15/2015 08:00 AM, David Gersic wrote:
> On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:
>
>> We have a NetIQ IDM SOAP driver (publisher only) in place and recently
>> we have discovered discrepancies between our HRM source and eDir. Eg.:
>> in the source the Given Name is 'John', in eDir it's 'john'. I have
>> looked at the eDir schema and Given Name is a Case Ignore String. Why is
>> in eDir the Given Name (and Surname etc.etc.) case insensitive?

>
> Many attributes are Case Ignore, and have been since the original NDS
> schema was published.


Beyond that, this is by RFC spec, so if you check the LDAP specs this is
normal and desirable. Why? Have you ever tried to lookup a user by name
and had to get the case exact for a match to be found? For example: go to
a whitepage application, search for 'AARON' and not find 'Aaron' or
'aaron' or anything like that? That would be terrible; directories are
designed to have a lot of things case-ignore (not case-insensitive) on
matches for this very reason. Case-insensitive means there is no case at
all, where case-ignore means the case is there, but matching is done
case-insensitively so you can match regardless of case.

>> clearly don't want that. Can I change it to case sensitive?


Only if you do not plan on ever matching on the data; chances are very
good you do want this. Changing case-only can be done by removing and
re-adding the value.

Alternatively: have your HR folks not typo stuff. 🙂

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Case insensitive attributes in eDir, why and howto change?

On Tue, 15 Dec 2015 15:29:37 +0000, ab wrote:

> On 12/15/2015 08:00 AM, David Gersic wrote:
>> On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:
>>
>>> We have a NetIQ IDM SOAP driver (publisher only) in place and recently
>>> we have discovered discrepancies between our HRM source and eDir. Eg.:
>>> in the source the Given Name is 'John', in eDir it's 'john'. I have
>>> looked at the eDir schema and Given Name is a Case Ignore String. Why
>>> is in eDir the Given Name (and Surname etc.etc.) case insensitive?

>>
>> Many attributes are Case Ignore, and have been since the original NDS
>> schema was published.

>
> Beyond that, this is by RFC spec, so if you check the LDAP specs this is
> normal and desirable. Why? Have you ever tried to lookup a user by
> name and had to get the case exact for a match to be found? For
> example: go to a whitepage application, search for 'AARON' and not find
> 'Aaron' or 'aaron' or anything like that? That would be terrible;
> directories are designed to have a lot of things case-ignore (not
> case-insensitive) on matches for this very reason. Case-insensitive
> means there is no case at all, where case-ignore means the case is
> there, but matching is done case-insensitively so you can match
> regardless of case.


Agreed, but from an IDM perspective, which is where this question
originates, C_I_String is problematic, because the engine does exactly
that and then assumes that 'Aaron' is the same as 'aaron', annoying the
end users who want their names to be spelled and typed correctly.


>>> clearly don't want that. Can I change it to case sensitive?

>
> Only if you do not plan on ever matching on the data; chances are very
> good you do want this. Changing case-only can be done by removing and
> re-adding the value.
>
> Alternatively: have your HR folks not typo stuff. 🙂


If you want to bring this discussion over to the idm.engine-drivers
forum, we can help you change the driver policies to handle this
situation, without needing to hack the schema.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
joer999 Absent Member.
Absent Member.

Re: Case insensitive attributes in eDir, why and howto change?


dgersic;263392 Wrote:
> On Tue, 15 Dec 2015 15:29:37 +0000, ab wrote:
>
> > On 12/15/2015 08:00 AM, David Gersic wrote:
> >> On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:
> >>
> >>> We have a NetIQ IDM SOAP driver (publisher only) in place and

> recently
> >>> we have discovered discrepancies between our HRM source and eDir.

> Eg.:
> >>> in the source the Given Name is 'John', in eDir it's 'john'. I have
> >>> looked at the eDir schema and Given Name is a Case Ignore String.

> Why
> >>> is in eDir the Given Name (and Surname etc.etc.) case insensitive?
> >>
> >> Many attributes are Case Ignore, and have been since the original

> NDS
> >> schema was published.

> >
> > Beyond that, this is by RFC spec, so if you check the LDAP specs this

> is
> > normal and desirable. Why? Have you ever tried to lookup a user by
> > name and had to get the case exact for a match to be found? For
> > example: go to a whitepage application, search for 'AARON' and not

> find
> > 'Aaron' or 'aaron' or anything like that? That would be terrible;
> > directories are designed to have a lot of things case-ignore (not
> > case-insensitive) on matches for this very reason. Case-insensitive
> > means there is no case at all, where case-ignore means the case is
> > there, but matching is done case-insensitively so you can match
> > regardless of case.

>
> Agreed, but from an IDM perspective, which is where this question
> originates, C_I_String is problematic, because the engine does exactly
> that and then assumes that 'Aaron' is the same as 'aaron', annoying the
> end users who want their names to be spelled and typed correctly.
>
>
> >>> clearly don't want that. Can I change it to case sensitive?

> >
> > Only if you do not plan on ever matching on the data; chances are

> very
> > good you do want this. Changing case-only can be done by removing

> and
> > re-adding the value.
> >
> > Alternatively: have your HR folks not typo stuff. 🙂

>
> If you want to bring this discussion over to the idm.engine-drivers
> forum, we can help you change the driver policies to handle this
> situation, without needing to hack the schema.
>
>
> --
> --------------------------------------------------------------------------
> David Gersic
> dgersic_@_niu.edu
> Knowledge Partner
> http://forums.microfocus.com
>
> Please post questions in the forums. No support provided via
> email.
> If you find this post helpful, please click on the star below.

Yes, eDir is our source for MAD en Blackboard (eLearning) and people
find it annoying that (a part of) their name has the wrong case in for
instance the Outlook Address Lists.
First I will try your link and ldif suggestion to change the properties
of the attributes (in a testing environment of course). Maybe I will
start a thread in the IDM forum but hopefully I will be able to think of
something by myself, policy and dirxml way.


--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=54930

0 Likes
joer999 Absent Member.
Absent Member.

Re: Case insensitive attributes in eDir, why and howto change?


ab;263388 Wrote:
> On 12/15/2015 08:00 AM, David Gersic wrote:
> > On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:
> >
> >> We have a NetIQ IDM SOAP driver (publisher only) in place and

> recently
> >> we have discovered discrepancies between our HRM source and eDir.

> Eg.:
> >> in the source the Given Name is 'John', in eDir it's 'john'. I have
> >> looked at the eDir schema and Given Name is a Case Ignore String. Why

> is
> >> in eDir the Given Name (and Surname etc.etc.) case insensitive?

> >
> > Many attributes are Case Ignore, and have been since the original NDS
> > schema was published.

>
> Beyond that, this is by RFC spec, so if you check the LDAP specs this
> is
> normal and desirable. Why? Have you ever tried to lookup a user by
> name
> and had to get the case exact for a match to be found? For example: go
> to
> a whitepage application, search for 'AARON' and not find 'Aaron' or
> 'aaron' or anything like that? That would be terrible; directories are
> designed to have a lot of things case-ignore (not case-insensitive) on
> matches for this very reason. Case-insensitive means there is no case
> at
> all, where case-ignore means the case is there, but matching is done
> case-insensitively so you can match regardless of case.
>
> >> clearly don't want that. Can I change it to case sensitive?

>
> Only if you do not plan on ever matching on the data; chances are very
> good you do want this. Changing case-only can be done by removing and
> re-adding the value.
>
> Alternatively: have your HR folks not typo stuff. 🙂
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...

When I change in MAD a Given Name form 'john' to 'John' then, contrary
to eDir, the new name is stored. When I search in AD on 'john' then all
the John's en john's pop up.
I am not sure I follow your case-insensitive-case-ignore bit. Given Name
is Case Ignore String in eDir so the case is there but not used for
matching. In that case, shouldn't eDir accept the same value but in a
different case as a new value for Given Name?
Anyway, in my opinion eDir should behave the same as MAD in this
respect: matching is done case-ignore by default but updating an
attribute is case-sensitive + attributes case-sensitive by default.


--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=54930

0 Likes
Knowledge Partner
Knowledge Partner

Re: Case insensitive attributes in eDir, why and howto change?

On Wed, 16 Dec 2015 08:26:49 +0000, joer999 wrote:

> When I change in MAD a Given Name form 'john' to 'John' then, contrary
> to eDir, the new name is stored. When I search in AD on 'john' then all
> the John's en john's pop up.
> I am not sure I follow your case-insensitive-case-ignore bit. Given Name
> is Case Ignore String in eDir so the case is there but not used for
> matching. In that case, shouldn't eDir accept the same value but in a
> different case as a new value for Given Name? Anyway, in my opinion eDir
> should behave the same as MAD in this respect: matching is done
> case-ignore by default but updating an attribute is case-sensitive +
> attributes case-sensitive by default.


eDirectory stores and preserves whatever case you give it. Your problem
isn't eDirectory.

The IDM engine attempts to minimize changes (writes) by checking to see
if the change even needs to be made before making it, because eDirectory
is faster at reads/compares than at writes.

Come over to idm.engine-drivers and we'll fix you up there.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
joer999 Absent Member.
Absent Member.

Re: Case insensitive attributes in eDir, why and howto change?


dgersic;263442 Wrote:
> On Wed, 16 Dec 2015 08:26:49 +0000, joer999 wrote:
>
> > When I change in MAD a Given Name form 'john' to 'John' then, contrary
> > to eDir, the new name is stored. When I search in AD on 'john' then

> all
> > the John's en john's pop up.
> > I am not sure I follow your case-insensitive-case-ignore bit. Given

> Name
> > is Case Ignore String in eDir so the case is there but not used for
> > matching. In that case, shouldn't eDir accept the same value but in a
> > different case as a new value for Given Name? Anyway, in my opinion

> eDir
> > should behave the same as MAD in this respect: matching is done
> > case-ignore by default but updating an attribute is case-sensitive +
> > attributes case-sensitive by default.

>
> eDirectory stores and preserves whatever case you give it. Your problem
> isn't eDirectory.

For sure I'm being pig-headed but... When in iManager I go to an account
in the eDir tree and manually change the Given Name from 'John' to
'john', the latter is not stored.
> The IDM engine attempts to minimize changes (writes) by checking to see
> if the change even needs to be made before making it, because eDirectory
> is faster at reads/compares than at writes.

I understand but to be honest I hate that. When I tell IDM or eDir to do
something, e.g. replace a value, I just want it to do that and not to
start thinking for itself. And in my opinion it's all a bit redundant
nowadays with those highly scalable VM's.
> Come over to idm.engine-drivers and we'll fix you up there.

Thank you. Maybe later on. I'm allmost there with my schema update. Case
Exact String = 1.3.6.1.4.1.1466.115.121.1.26. I want to see if it's
possible and what the results are but I don't think it's the way to go
because changing the definition of a default attribute will probably
lead to other problems.


--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=54930

0 Likes
joer999 Absent Member.
Absent Member.

Re: Case insensitive attributes in eDir, why and howto change?


dgersic;263385 Wrote:
> On Tue, 15 Dec 2015 14:14:01 +0000, joer999 wrote:
>
> > We have a NetIQ IDM SOAP driver (publisher only) in place and recently
> > we have discovered discrepancies between our HRM source and eDir. Eg.:
> > in the source the Given Name is 'John', in eDir it's 'john'. I have
> > looked at the eDir schema and Given Name is a Case Ignore String. Why

> is
> > in eDir the Given Name (and Surname etc.etc.) case insensitive?

>
> Many attributes are Case Ignore, and have been since the original NDS
> schema was published.
>
>
> > I
> > clearly don't want that. Can I change it to case sensitive?

>
> In theory? Yes. I haven't tried to do so, but an LDIF modification to
> the
> schema should work. I've done other modifications to the base schema in
> the past, just not this one.
>
> See, for example, TID #7008201
>
> https://www.novell.com/support/kb/doc.php?id=7008201
>
>
> --
> --------------------------------------------------------------------------
> David Gersic dgersic_@_niu.edu
> Knowledge Partner http://forums.microfocus.com
>
> Please post questions in the forums. No support provided via email.
> If you find this post helpful, please click on the star below.

Error.
Trying to change givenName from Case Ignore String to Case Exact String.
Ldapmodify (OpenLDAP) gives me "ldap_modify: No such object (32)
additional info: NDS error: no such entry (-601)" on this ldif:
> dn: cn=schema,cn=config
> changetype: modify
> delete: attributetypes
> attributeTypes: attributeTypes: (2.5.4.42)
> -
> add: attributetypes
> attributeTypes: (2.5.4.42 NAME 'givenName' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26{32} X-NDS_NAME 'Given Name'
> X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '32' X-NDS_PUBLIC_READ '1'
> X-NDS_NONREMOVABLE '1')
>

I connect as Admin. Am I doing something wrong or is a modify of this
type not permitted but with a vague error message?


--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=54930

0 Likes
Knowledge Partner
Knowledge Partner

Re: Case insensitive attributes in eDir, why and howto change?

On Thu, 17 Dec 2015 11:14:02 +0000, joer999 wrote:


> Trying to change givenName from Case Ignore String to Case Exact String.


I did something similar once with:


dn: cn=schema
changetype: modify
delete: attributeTypes
attributeTypes: ( 2.16.840.1.113719.1.33.4.7 NAME 'nrfLocalizedNames'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64512} SINGLE-VALUE
X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1' )
-
add: attributeTypes
attributeTypes: ( 2.16.840.1.113719.1.33.4.7 NAME 'nrfLocalizedNames'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64512} SINGLE-VALUE
X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1' )



--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
joer999 Absent Member.
Absent Member.

Re: Case insensitive attributes in eDir, why and howto change?


dgersic;263544 Wrote:
> On Thu, 17 Dec 2015 11:14:02 +0000, joer999 wrote:
>
>
> > Trying to change givenName from Case Ignore String to Case Exact

> String.
>
> I did something similar once with:
>
> >

Code:
--------------------
> >

> dn: cn=schema
> changetype: modify
> delete: attributeTypes
> attributeTypes: ( 2.16.840.1.113719.1.33.4.7 NAME 'nrfLocalizedNames'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64512} SINGLE-VALUE
> X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1' )
> -
> add: attributeTypes
> attributeTypes: ( 2.16.840.1.113719.1.33.4.7 NAME 'nrfLocalizedNames'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64512} SINGLE-VALUE
> X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1' )
>

--------------------
> >

>
>
> --
> --------------------------------------------------------------------------
> David Gersic
> dgersic_@_niu.edu
> Knowledge Partner
> http://forums.microfocus.com
>
> Please post questions in the forums. No support provided via
> email.
> If you find this post helpful, please click on the star below.

Yes, that works but when I replace the two strings after
'attributeTypes:' with (first)
( 2.5.4.42 NAME 'givenName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32}
X-NDS_NAME 'Given Name' X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '32'
X-NDS_PUBLIC_READ '1' X-NDS_NONREMOVABLE '1' )
and (second)
( 2.5.4.42 NAME 'givenName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32}
X-NDS_NAME 'Given Name' X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '32'
X-NDS_PUBLIC_READ '1' X-NDS_NONREMOVABLE '1' )
I get:
> ldap_modify: Other (e.g., implementation specific) error (80)
> additional info: NDS error: op schema mismatch (-722)

In this stage, replacing 'dn: cn=schema' with 'dn: cn=schema,cn=config'
gives me:
> ldap_modify: No such object (32)
> additional info: NDS error: no such entry (-601)

I will leave it at that and follow up on your suggestion on moving to
the Engine-Drivers section and maybe get my uppercase-lowercase issue
resolved.


--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=54930

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.