Question & Answer
Question
When a AIX or Linux system is configured to authenticate users using a Security(/Tivoli) Directory Sever as LDAP store, the user login IDs are not case-sensitive
Cause
This is because the attribute memberUid in the Directory Server schema is not defined as case sensitive by default.
Answer
You can change the schema to have case sensitive user login names. The Security (or Tivoli) Directory Server schema can be changed through the Web Admin interface or by doing a simple change to schema definition file.
1. Using Web Admin Tool:
To change the schema for the attribute in question you need to login to the webadmin:
(i) Go to Schema Management -> Manage Attributes -> go to page 41
(ii) Select memberUid and click on "Edit" button
(iii) Set the following Matching Rules:
- Equality
- caseExactMatch
- caseExactOrderingMatch
- caseExactSubstringsMatch
Refer to following tables to have appropriate matching rules:
http://www-01.ibm.com/support/knowledgecenter/SSVJJU_6.3.0/com.ibm.IBMDS.doc/admin_gd77.htm%23matchrules
2. Manually changing the schema definition file:
You can modify the schema definition file "V3.user.at". This file can be found in the etc directory where your Directory Server instance's configuration and other files exist.
(i) Backup the original file
(ii) Edit the V3.user.at file
(iii) Find the entry like:
attributetypes=( 1.3.6.1.1.1.1.12 NAME 'memberUid' DESC 'Member uid.' EQUALITY 1.3.6.1.4.1.1466.109.114.1 SUBSTR 2.5.13.7 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 USAGE userApplications )
You have to change EQUALITY and SUBSTR matching rules.
(iv) To make memberUid case-sensitive, change this entry looks like this:
attributetypes=( 1.3.6.1.1.1.1.12 NAME 'memberUid' DESC 'Member uid.' EQUALITY 1.3.6.1.4.1.1466.109.114.1 SUBSTR 2.5.13.7 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 USAGE userApplications )
Note that the rules will be applicable only to the memberUid attribute of entries added after this change.
Example:
This is the sample entry that you can add and test after changing schema:
cn=myuser2,o=ibm,c=us
objectclass=posixGroup
objectclass=top
objectclass=posixAccount
cn=myuser2
homedirectory=/home/myuser1
gidnumber=100
memberUid=myuser2
uid=myuser2
uidnumber=802
Then this is the result of ldapsearch (even after LDAP restart):
# ldapsearch -D cn=root -w root -p 2389 -b "o=ibm,c=us" memberUid=myuser2
(1 result is returned)
# ldapsearch -D cn=root -w root -p 2389 -b "o=ibm,c=us" memberUid=mYuser2
(No result returned )
ldapsearch -D cn=root -w root -p 2389 -b "o=ibm,c=us" memberUid=mYuSER2
(No result returned)
[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2;6.0;6.1;6.2;6.3;6.3.1;6.4","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Historical Number
PMR # 66916;100;838
Product Synonym
itds;tds;directory server;ldap
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21260781