[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4747) Function nisNetgroupTripleValidate fails on underscores



G'Day Kurt

Yes, RFC 2307 is restrictive re: limiting the legal character set for the 
nisNetgroupTripleSyntax values to a "keystring" (ref: RFC 2252).

What I find irksome probably boils down to:-
Since LDAP was originally designed to gateway requests to X.500 servers that the 
character set of an IA5String should be legal. (RFC 2307, section 2.4, X.500 
nisNetgroupTripleSyntax)

With the added twist of the knife, that underscores are legal in the user CN's 
when doing the nisMapName=netgroup.byuser

Note: OS specific "bad chars" still need to be taken into account by the implementer.


Since the "nisNetgroupTripleSyntax" is unlikely to change from "keystring" to 
IA5String in the near future for OpenLDAP, I think I'll have to consider our 
options re: netgroup configuration and use.

Regards
IT Manager 2

Kurt D. Zeilenga wrote:
> At 09:26 PM 11/12/2006, temp1@ips.gov.au wrote:
>> Full_Name: IT Manager 2
>> Version: 2.3 & 2.4
>> OS: FreeBSD 6.2-PRERELEASE #0: Thu Oct 19 11:23:22 EST 2006
>> URL: 
>> Submission from: (NULL) (220.233.132.66)
>>
>>
>> Src ./servers/slapd/schema_init.c
>> Function nisNetgroupTripleValidate
>>
>> Fails validate of NIS Netgroup triplet when an underscore is used in a username,
>> hostname or domainname.
> 
> I believe this is the intended behavior.
> 
>> Which is allowable ie username bad chars are " ,\t:+&#%$^()!@~*?<>=|\\/\"".
> 
> RFC 2307 is more restrictive.
> 
> 
>> suggest change line
>>               } else if ( !AD_CHAR( *p ) ) {
>> to 
>>               } else if ( !(AD_CHAR( *p ) || (*p) == '_' ) ) {
>>
>> Regards
>> IT Manager 2
> 
>