[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl authz 'dn:' type normalization (ITS#2852)

To: openldap-its@OpenLDAP.org
Subject: RE: sasl authz 'dn:' type normalization (ITS#2852)
From: ando@sys-net.it
Date: Tue, 2 Dec 2003 23:15:20 GMT

> Is this approach really necessary? Can we just defer the dnNormalize
> until after the regexp has been expanded?

No, in this case no DN expansion takes place, because
it's not a sort of sasl-regexp operation (i.e. a mapping)
but rather a match in ACL style (i.e. a DN is tried
against a regualr expression to see whether it matches
or not).

I came out with a more elaborate solution, respectful
of current stuff and with better semantics (mutuated from
ACLs, BTW):

dn:<smtg>

is not normalized, and used as input to regcomp() to
compare against assertedDN;

dn.regex:<smtg>

is an explicit version of the above

dn.exact:<dn>

is an explicit DN which must pass normalization
and exact match.  I think this is the least useful,
but at last we don't have to apply a regex to
strings that require exact match, and we preserve
the original behavior of applying regex to "dn:"
style saslAuthz* strings.  I'm in favour of deprecating
their use, and recommend the use of "dn.regex:" or
"dn.exact:" for better performance and semantics.

I'll commit the patch in a moment.

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Prev by Date: RE: 2.2.3 w/db-4.2.50 fails test000 on SGI only (ITS#2856)
Next by Date: RE: sasl authz 'dn:' type normalization (ITS#2852)
Index(es):
- Chronological
- Thread