Using Naive DN Matching

When configuring an LDAP directory connector in Crowd, you can turn 'naive DN matching' on or off. A 'DN' is a distinguished name. Naive DN matching is also known as 'relaxed DN standardization'. This page gives some background to the setting of this option.

Crowd needs to compare DNs (distinguished names) to check a number of things, such as whether a user is a member of a group. Some directories guarantee that DNs will always be in a standard format, and some return slight variants with changes such as extra whitespace. If we know that, in a specific directory, DNs are case insensitive and are always returned in a compact format (that is, the separators are commas without spaces) then we can convert both the attribute names and values to lower case and just do a direct string comparison.

(info) Using naive DN matching provides significant performance benefits. For that reason, we recommend enabling it where possible.

Effect of Turning Naive DN Matching On or Off

Naive DN Matching in Crowd

Processing in Crowd

コメント

オフ

Crowd will perform the full DN parsing and compare the parsed version.

See below for default settings for each directory type.

オン

Crowd will perform a toLower operation and then do a direct comparison of the two DN strings.

If this setting is 'off' by default for your directory type (see below) then you may be able to turn it on. Both of the following two statements need to be true:

  1. The directory server always returns memberDNs in a compact format i.e. the separators are commas without spaces. For example:
    • Compact format: 'cn=bob,dc=example,dc=com'
    • Not compact: 'cn=bob, dc=example, dc=com'
  2. The attribute names in the RDN are always lower case, or all searches for DNs and memberDN attributes are case insensitive.

Default Settings in Crowd

Crowd ships with the following default settings, as determined by the characteristics of each directory type.

ディレクトリ タイプ

ネイティブ DN マッチング

ApacheDS 1.0.x

オフ

ApacheDS 1.5.x

オフ

Apple Open Directory

オン

FedoraDS

オン

Generic LDAP

オフ

Microsoft Active Directory

オン

Novell eDirectory

オフ

OpenDS

オフ

OpenLDAP

オン

OpenLDAP Posix

オン

Generic Posix

オン

Sun Directory Server DSEE

オフ

Last modified on Mar 13, 2019

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.