[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6912) authz-regexp DN normalization of authcIDs
this micro-patch "works for me":
ftp://ftp.openldap.org/incoming/Daniel-Pluta-110424.patch
Disclaimer: I don't know the details regarding the need for
normalization but ...
... to my current knowledge and opposed to authDNs, there's no need to
normalize authcIDs at all?
slapd's behaviour before the patch:
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1001] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=userHAHAHA,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=userHAHAHA,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=userhahaha,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=userhahaha,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1]
string='uid=userhahaha,cn=digest-md5,cn=auth'
==> rewrite_rule_apply
rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth'
string='uid=userhahaha,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha)'}
slap_parseURI: parsing
ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha)
ldap_url_parse_ext(ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha))
put_filter: "(userLogin=userhahaha)"
slapd's behaviour after the patch has been applied:
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=userHAHAHA,cn=DIGEST-MD5,cn=auth
==>slap_sasl2dn: converting SASL name
uid=userHAHAHA,cn=DIGEST-MD5,cn=auth to a DN
==> rewrite_context_apply [depth=1]
string='uid=userHAHAHA,cn=DIGEST-MD5,cn=auth'
==> rewrite_rule_apply
rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth'
string='uid=userHAHAHA,cn=DIGEST-MD5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA)'}
slap_parseURI: parsing
ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA)
ldap_url_parse_ext(ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA))
put_filter: "(userLogin=userHAHAHA)"
put_filter: simple
put_simple_filter: "userLogin=userHAHAHA"
note, the userLogin attribute is defined using octetString-Syntax and
thus is compared case sensitive