Using Naive DN Matching
When configuring an LDAP directory connector in Crowd, you can turn 'naive DN matching' on or off. A 'DN' is a distinguished name. Naive DN matching is also known as 'relaxed DN standardization'. This page gives some background to the setting of this option.
Crowd needs to compare DNs (distinguished names) to check a number of things, such as whether a user is a member of a group. Some directories guarantee that DNs will always be in a standard format, and some return slight variants with changes such as extra whitespace. If we know that, in a specific directory, DNs are case insensitive and are always returned in a compact format (that is, the separators are commas without spaces) then we can convert both the attribute names and values to lower case and just do a direct string comparison.
Using naive DN matching provides significant performance benefits. For that reason, we recommend enabling it where possible.
Effect of Turning Naive DN Matching On or Off
Naive DN Matching in Crowd | Processing in Crowd | Comments |
|---|---|---|
Off | Crowd will perform the full DN parsing and compare the parsed version. | See below for default settings for each directory type. |
On | Crowd will perform a | If this setting is 'off' by default for your directory type (see below) then you may be able to turn it on. Both of the following two statements need to be true:
|
Default Settings in Crowd
Crowd ships with the following default settings, as determined by the characteristics of each directory type.
Directory Type | Naive DN Matching |
|---|---|
ApacheDS 1.0.x | Off |
ApacheDS 1.5.x | Off |
Apple Open Directory | On |
FedoraDS | On |
Generic LDAP | Off |
Microsoft Active Directory | On |
Novell eDirectory | Off |
OpenDS | Off |
OpenLDAP | On |
OpenLDAP Posix | On |
Generic Posix | On |
Sun Directory Server DSEE | Off |