[GH-ISSUE #1202] [BUG] Attributes with the same name can be created with different types #430

New issue

Open

opened 2026-02-27 08:17:15 +03:00 by kerem · 1 comment

kerem commented

2026-02-27 08:17:15 +03:00

Owner

Originally created by @nitnelave on GitHub (Jul 6, 2025).
Original GitHub issue: https://github.com/lldap/lldap/issues/1202

When creating a user and group attribute, they can have different types. However, the LDAP spec requires each named attribute to have a single associated type.

To Reproduce
Create a "foo" attribute of type "string" for users.
Create a "foo" attribute of type "int" for groups.
Request the LDAP schema: the attribute will be listed twice with different names.

Expected behavior
Each attribute name should have a single associated type, across users and groups.

Additional context
https://ldap.com/attribute-types/

An optional set of names that may be used to reference the attribute type as an alternative to the numeric OID. Each of these names must be unique across the set of all attribute types, although it is legal for an attribute type to have the same name as a different type of schema element (e.g., it is acceptable to have an attribute type and an object class that both have the same name).

Proposed solution
The LDAP schema generation should check for validity of attribute types across users and groups. In case of agreement, deduplicate. In case of conflict, return an error instead of generating the schema.

In addition, we should have a startup warning on conflicting attribute, and prevent users from creating them.

Originally created by @nitnelave on GitHub (Jul 6, 2025). Original GitHub issue: https://github.com/lldap/lldap/issues/1202 When creating a user and group attribute, they can have different types. However, the LDAP spec requires each named attribute to have a single associated type. **To Reproduce** Create a "foo" attribute of type "string" for users. Create a "foo" attribute of type "int" for groups. Request the LDAP schema: the attribute will be listed twice with different names. **Expected behavior** Each attribute name should have a single associated type, across users and groups. **Additional context** https://ldap.com/attribute-types/ > An optional set of names that may be used to reference the attribute type as an alternative to the numeric OID. Each of these names must be unique across the set of all attribute types, although it is legal for an attribute type to have the same name as a different type of schema element (e.g., it is acceptable to have an attribute type and an object class that both have the same name). **Proposed solution** The LDAP schema generation should check for validity of attribute types across users and groups. In case of agreement, deduplicate. In case of conflict, return an error instead of generating the schema. In addition, we should have a startup warning on conflicting attribute, and prevent users from creating them.