Grouper Developers Forum

[Tom Barton <>]

Tom,

LDAP DNs are a special kind of identifier for which you'll want to rely 
on an existing canonicalization algorithm. You're in the best position 
to judge whether ldappc-ng should rely on a JNDI method to do so or 
where exactly that should be done in the LDAP provisioning work flow 
overall.

Does the shib attribute resolver provide reasonable capabilities to a 
deployer to massage locally-defined identifiers as may be needed in 
connection with ldappc-ng?

Other Tom

Tom Zeller wrote:
> I'm looking for feedback regarding two styles of comparing provisioned
> identifiers, what I'll call "exact-match" and "pluggable".
>
> By exact-match I mean comparing identifiers as case-sensitive strings,
> e.g. idA.equals(idB).
>
> By pluggable I mean that identifiers might be massaged before
> comparison, for example, making them case-insensitive
> idA.toLowerCase.equals(idB.toLowerCase()).
>
> For ldap DNs, a pluggable comparison might involve case-insensitivity,
> escaping, and normalizing whitespace.
>
> If ldappc-ng compares ldap DNs as exact-matches, then the (software)
> connector to an ldap server would need to always normalize DNs upon
> receiving requests and sending responses.
>
> If ldappc-ng compares ldap DNs pluggably, then the (software)
> connector to an ldap server could return whatever DN it receives from
> the ldap server, and it would be up to ldappc-ng to normalize.
>
> I'm leaning towards exact-match, which leaves the details of
> identifier normalization to the connector. In other words, the
> connector code contains all of the target specific details.
>
> Feedback ? Does this make sense ?
>
> Thanks,
> TomZ