Re: complex characters in UID attribute

Wed, 23 Feb 2011 03:07:23 -0800 

Hello,
the ":" is a special character for Unix. (E.g. it's the column delimiter in /etc/passwd and friends.) So Unix forbids 
the usage of ":" in user names.
POSIX defines (http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_426): 

---
To be portable across systems conforming to IEEE Std 1003.1-2001, the value is composed of characters from the portable filename character set. 
---
This portable character set is defined as (http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_276): 

---

The set of characters from which portable filenames are constructed.

   A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
   a b c d e f g h i j k l m n o p q r s t u v w x y z
   0 1 2 3 4 5 6 7 8 9 . _ -
The last three characters are the period, underscore, and hyphen characters, respectively. 

---
So LDAP allows ":" in uid (because it has DirectoryString syntax) but the application (Unix/POSIX) forbids it. 

Regards,  Jochen.



Am 23.02.2011 11:39, schrieb Vinay Kalkoti:

But, the user account with "test_user:IT" is not able to login. I have
setup an OpenLDAP server and am using OpenLDAP client on SLES
machines.

SSH or "su - test_user:IT" fails. I see the following logs in
/var/log/messages file.

Feb 23 11:09:41 server sshd[20549]: Invalid user test_user from 10.34.3.94
Feb 23 11:09:44 sverver sshd[20549]: error: PAM: User not known to the
underlying authentication module for illegal user test_user from
10.34.3.94

*** Note that the logs just mention test_user instead of test_user:IT

Vinay


On Wed, Feb 23, 2011 at 2:37 PM, Marc Patermann
<[email protected]>  wrote:

Vinay,

Vinay Kalkoti schrieb am 23.02.2011 09:10 Uhr:


I wanted to know what all complex characters can be included for an
UID attribute.

I have the following user names (uid).

Please let me know which which of the following uid's are invalid -

test_user: IT (LOC)
sup_12$
test_user:IT(LOC)
test_user-IT
test_user IT
test_user:IT
test_user(IT)
test_user.IT
test_user/IT
test_user/IT
test_user#IT
test_user*IT
test_user@IT

IMHO from the ldap point of view this is all totally valid. As long as it is
encoded in UTF-8.
According to this
http://www.andrew.cmu.edu/user/dd26/ldap.akbkhome.com/attribute/uid.html
the syntax of uid is Directory String which does not limit you either.

Your application using uid may or may not have stricter rules than that...

Marc

Reply via email to