Using Naive DN Matching

When configuring an LDAP directory connector in Crowd, you can turn 'naive DN matching' on or off. A 'DN' is a distinguished name. Naive DN matching is also known as 'relaxed DN standardization'. This page gives some background to the setting of this option.

Crowd needs to compare DNs (distinguished names) to check a number of things, such as whether a user is a member of a group. Some directories guarantee that DNs will always be in a standard format, and some return slight variants with changes such as extra whitespace. If we know that, in a specific directory, DNs are case insensitive and are always returned in a compact format (that is, the separators are commas without spaces) then we can convert both the attribute names and values to lower case and just do a direct string comparison.

(info) Using naive DN matching provides significant performance benefits. For that reason, we recommend enabling it where possible.

Effect of Turning Naive DN Matching On or Off

Naive DN Matching in Crowd

Processing in Crowd

Comments

Off

Crowd will perform the full DN parsing and compare the parsed version.

See below for default settings for each directory type.

On

Crowd will perform a toLower operation and then do a direct comparison of the two DN strings.

If this setting is 'off' by default for your directory type (see below) then you may be able to turn it on. Both of the following two statements need to be true:

  1. The directory server always returns memberDNs in a compact format i.e. the separators are commas without spaces. For example:
    • Compact format: 'cn=bob,dc=example,dc=com'
    • Not compact: 'cn=bob, dc=example, dc=com'
  2. The attribute names in the RDN are always lower case, or all searches for DNs and memberDN attributes are case insensitive.

Default Settings in Crowd

Crowd ships with the following default settings, as determined by the characteristics of each directory type.

Directory Type

Naive DN Matching

ApacheDS 1.0.x

Off

ApacheDS 1.5.x

Off

Apple Open Directory

On

FedoraDS

On

Generic LDAP

Off

Microsoft Active Directory

On

Novell eDirectory

Off

OpenDS

Off

OpenLDAP

On

OpenLDAP Posix

On

Generic Posix

On

Sun Directory Server DSEE

Off

Last modified on Mar 13, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.