[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: sasl authz 'dn:' type normalization (ITS#2852)
> Is this approach really necessary? Can we just defer the dnNormalize
> until after the regexp has been expanded?
No, in this case no DN expansion takes place, because
it's not a sort of sasl-regexp operation (i.e. a mapping)
but rather a match in ACL style (i.e. a DN is tried
against a regualr expression to see whether it matches
or not).
I came out with a more elaborate solution, respectful
of current stuff and with better semantics (mutuated from
ACLs, BTW):
dn:<smtg>
is not normalized, and used as input to regcomp() to
compare against assertedDN;
dn.regex:<smtg>
is an explicit version of the above
dn.exact:<dn>
is an explicit DN which must pass normalization
and exact match. I think this is the least useful,
but at last we don't have to apply a regex to
strings that require exact match, and we preserve
the original behavior of applying regex to "dn:"
style saslAuthz* strings. I'm in favour of deprecating
their use, and recommend the use of "dn.regex:" or
"dn.exact:" for better performance and semantics.
I'll commit the patch in a moment.
Ando.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it