[Date Prev][Date Next] [Chronological] [Thread] [Top]
(ITS#6887) authz-regexp: backslash escaping/normalization

To: openldap-its@OpenLDAP.org
Subject: (ITS#6887) authz-regexp: backslash escaping/normalization
From: daniel@pluta.biz
Date: Sun, 3 Apr 2011 00:07:12 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Daniel Pluta
Version: 2.4.23
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:4ca0:0:fe15::1)


1.) Following authz-regexp statement looks and works fine with slapd:

authz-regexp
        uid=([^,]+)@([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth
        "ldap:///ou=users,ou=$1,dc=foo,dc=bar??one?(mail=$2)"

do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=domain@user,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=domain@user,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=domain@user,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=domain@user,cn=digest-md5,cn=auth to a
DN
==> rewrite_context_apply [depth=1]
string='uid=domain@user,cn=digest-md5,cn=auth'
==> rewrite_rule_apply
rule='uid=([^,]+)@([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth'
string='uid=domain@user,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=user)'}
slap_parseURI: parsing
ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=user)
ldap_url_parse_ext(ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=user))
put_filter: "(mail=user)"
put_filter: simple
put_simple_filter: "mail=user"
ber_scanf fmt ({mm}) ber:
>>> dnNormalize: <ou=users,ou=domain,dc=foo,dc=bar>
<<< dnNormalize: <ou=users,ou=domain,dc=foo,dc=bar>
slap_sasl2dn: performing internal search (base=ou=users,ou=domain,dc=foo,dc=bar,
scope=1)
=> hdb_search
bdb_dn2entry("ou=users,ou=domain,dc=foo,dc=bar")
=> hdb_dn2id("ou=domain,dc=foo,dc=bar")

==========================================================================

1.) Following authz-regexp where the @-separator is replaced by a \-separator
seems to cause problems:

authz-regexp
        uid=([^,]+)\\([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth
        "ldap:///ou=users,ou=$1,dc=foo,dc=bar??one?(mail=$2)"

Looks strange:

do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=domain\5Cuser,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=domain\5Cuser,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=domain\5Cuser,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=domain\5Cuser,cn=digest-md5,cn=auth to
a DN
==> rewrite_context_apply [depth=1]
string='uid=domain\5Cuser,cn=digest-md5,cn=auth'
==> rewrite_rule_apply
rule='uid=([^,]+)\([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth'
string='uid=domain\5Cuser,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'uid=domain\5Cuser,cn=digest-md5,cn=auth'}
slap_parseURI: parsing uid=domain\5Cuser,cn=digest-md5,cn=auth
ldap_url_parse_ext(uid=domain\5Cuser,cn=digest-md5,cn=auth)
>>> dnNormalize: <uid=domain\5Cuser,cn=digest-md5,cn=auth>
<<< dnNormalize: <uid=domain\5Cuser,cn=digest-md5,cn=auth>
<==slap_sasl2dn: Converted SASL name to uid=domain\5Cuser,cn=digest-md5,cn=auth
slap_sasl_getdn: dn:id converted to uid=domain\5Cuser,cn=digest-md5,cn=auth

==========================================================================

3. Just one more try to using "[\\]" instead of "\\"

authz-regexp
        uid=([^,]+)[\\]([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth
        "ldap:///ou=users,ou=$1,dc=foo,dc=bar??one?(mail=$2)"

Looks strange too:

do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=domain\5Cuser,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=domain\5Cuser,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=domain\5Cuser,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=domain\5Cuser,cn=digest-md5,cn=auth to
a DN
==> rewrite_context_apply [depth=1]
string='uid=domain\5Cuser,cn=digest-md5,cn=auth'
==> rewrite_rule_apply
rule='uid=([^,]+)[\]([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth'
string='uid=domain\5Cuser,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=5Cuser)'}
slap_parseURI: parsing
ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=5Cuser)
ldap_url_parse_ext(ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=5Cuser))
put_filter: "(mail=5Cuser)"
put_filter: simple
put_simple_filter: "mail=5Cuser"
ber_scanf fmt ({mm}) ber:
>>> dnNormalize: <ou=users,ou=domain,dc=foo,dc=bar>
<<< dnNormalize: <ou=users,ou=domain,dc=foo,dc=bar>
slap_sasl2dn: performing internal search (base=ou=users,ou=domain,dc=foo,dc=bar,
scope=1)
Next by Date: (ITS#6888) slapd 2.4.23 terminating with 'SIGABRT'
Index(es):
- Chronological
- Thread