Session Property Whitelist Service is not validating the list of Property Names during entry or Save Changes, allowing "mail, MAIL, maiL, ..." but only storing the latest one on the DS Server (which is not case sensitive).
- Add the Session Property Whitelist Service to any realm (use FR DS, but any DS should act similar).
- Update the Session Property Whitelist Service with Property Names in variant representations:
eg. mail MAIL mAiL and Save Changes
- Check what was saved via the Service on the LDAP Server (DS).
Be sure to enter the Property Name entered is exactly how it will appear or be called from DS (which is case sensitive).
See case for more details but this was causing grief in the whole deployment model because the user would never know just by making the change in the console... unless they were double-checking in DS to confirm the same, and report this discrepancy. Which is misleading in the subsequent deploy, because only the last or latest iteration of the attr is stored.