Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] ldappc-ng comparing provisioned identifiers ?

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] ldappc-ng comparing provisioned identifiers ?

Chronological Thread 
  • From: Tom Barton <>
  • To: Tom Zeller <>
  • Cc: Grouper Dev <>
  • Subject: Re: [grouper-dev] ldappc-ng comparing provisioned identifiers ?
  • Date: Sun, 21 Feb 2010 19:05:06 -0600


LDAP DNs are a special kind of identifier for which you'll want to rely on an existing canonicalization algorithm. You're in the best position to judge whether ldappc-ng should rely on a JNDI method to do so or where exactly that should be done in the LDAP provisioning work flow overall.

Does the shib attribute resolver provide reasonable capabilities to a deployer to massage locally-defined identifiers as may be needed in connection with ldappc-ng?

Other Tom

Tom Zeller wrote:
I'm looking for feedback regarding two styles of comparing provisioned
identifiers, what I'll call "exact-match" and "pluggable".

By exact-match I mean comparing identifiers as case-sensitive strings,
e.g. idA.equals(idB).

By pluggable I mean that identifiers might be massaged before
comparison, for example, making them case-insensitive

For ldap DNs, a pluggable comparison might involve case-insensitivity,
escaping, and normalizing whitespace.

If ldappc-ng compares ldap DNs as exact-matches, then the (software)
connector to an ldap server would need to always normalize DNs upon
receiving requests and sending responses.

If ldappc-ng compares ldap DNs pluggably, then the (software)
connector to an ldap server could return whatever DN it receives from
the ldap server, and it would be up to ldappc-ng to normalize.

I'm leaning towards exact-match, which leaves the details of
identifier normalization to the connector. In other words, the
connector code contains all of the target specific details.

Feedback ? Does this make sense ?


Archive powered by MHonArc 2.6.16.

Top of Page