I think it's significant to mention that the uid attribute type is caseExactMatch. So uid=STEVEHARRIS
is not the same as uid=steveharris.
I would say, 99% Apacheds bug we are trying to fix reight now ;)
--On 3/20/07, Flavio Minori < email@example.com> wrote:Hi Emmanuel,
excuse me if the mail is probably out of topic but I want to report this:
In my Ldap server I have this account:
DN: uid=STEVEHARRIS, ou=people, dc=irons
and in the OrganizationalRole I have the roleOccupant attribute setted to:
roleOccupant: uid=STEVEHARRIS, ou=people, dc=irons
Why Acegi doesn't retrieve authorities correctly?
If I change the roleOccupant attribute:
roleOccupant: uid=steveharris, ou=people, dc=irons
then it works.
Is it an Acegi or a ApacheDS problem ?
Da: Emmanuel Lecharny [mailto:firstname.lastname@example.org ]
Inviato: lunedý 19 marzo 2007 23.19
A: Apache Directory Developers List
Oggetto: [Attributes manipulation] How to manipulate attributes inside the
We have some serious issues in the server with Attributes manipulation.
This mail is intended to avoid as much as possible potential breakage
and bugs, by giving explicit rules of thumb about the way we should
First, we will focusing on ADS 1.5, because ADS 1.0.1 is already out.
Second, this mail applies only to in-server attribute manipulations, and
does not cover clients or tests.
Ok, now, let's get deep into the, well, mud.
1) Introduction, terminology
We have implemented Attribute and Attributes, which are
The associated classes in the server are :
An Attributes can contain many Attribute. Each Attribute contains a key
(the attribute type) and many values.
As we are in the Ldap World, the Attributes are associated with an Entry.
2) Attribute types
Each Attribute has a key which is unique within an Attributes (Entry).
This key is *case insensitive*. It means that "cn" is equivalent to "CN"
---> First rule : _always use a lowercased attribute name_
This key is not necessarily the best key to identify an attribute.
Internally, we should *always* use the associated OID (we have a
relation between an OID and an attribute type : An attributeType
*always* has a unique OID, when an OID can be associated with more than
--> Second rule : _when possible, use the OID instead of any other
What does it mean, in the real world ? Simply, use the OID.
3) Potential problems
The user don't want to receive OIDs when he launch a search. OIDs are
good for serrvers, not for clients...
Generally, a client ask for a list of attributes as a result of a
search. This list should be returned as it has been submitted :
let's assume a client has asked for SURNAME, we should not return an
entry like 22.214.171.124=nerd, but something like SURNAME=nerd
---> Third rule : _return what the client is asking for, not what the
server is used to manipulate_
Another problem is that we might have to find a specific value of an
attribute. For instance, we may look for the 'subschema' value in the
'objectClass' attribute. We have MatchingRules to compare two values.
Let's suppose we are dealing with the objectClass attributeType : the
values should be compared case insensitive. PhoneNumber should be
compared after having remove any inner space. And so on. Each
attributeType is associated with an Equality Matching Rule which is to
be used to process comparizons. This leads to CN == cn == cN == Cn, with
the ObjectClass equality matching rule.
An helper class contains two methods to help dealing with those
attributeTypes : AttributeUtils.
Three methods has been written :
- containsAnyValues( Attribute, Object, AttributeType ) : check that
an attribute contains at least one of the given values
- containsValue( Attribute, Object, AttributeType ) : check that the
attributes contains the given value
- containsValueCaseIgnore( Attribute, Object ) : special case where we
check that the value is contained by the attribute, the case sensitivity
For method 1 and 2, the attributeType is used to call the associated
---> Forth rule : When comparing two attribute values, always use the
AttributeUtils class, and use the correct method.
Ok, that's all for now, I hope that this little reminder will help to
build a better server ...
PS: I think this mail deserves to be put into confluence, but tonite,
I'm too lazy ...