[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6912) authz-regexp DN normalization of authcIDs

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6912) authz-regexp DN normalization of authcIDs
From: daniel@pluta.biz
Date: Sun, 24 Apr 2011 15:43:27 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

this micro-patch "works for me": 
ftp://ftp.openldap.org/incoming/Daniel-Pluta-110424.patch

Disclaimer: I don't know the details regarding the need for 
normalization but ...
... to my current knowledge and opposed to authDNs, there's no need to 
normalize authcIDs at all?


slapd's behaviour before the patch:

do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1001] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=userHAHAHA,cn=DIGEST-MD5,cn=auth
 >>> dnNormalize: <uid=userHAHAHA,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=userhahaha,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name 
uid=userhahaha,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1] 
string='uid=userhahaha,cn=digest-md5,cn=auth'
==> rewrite_rule_apply 
rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth' 
string='uid=userhahaha,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] 
res={0,'ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha)'}
slap_parseURI: parsing 
ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha)
ldap_url_parse_ext(ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha))
put_filter: "(userLogin=userhahaha)"


slapd's behaviour after the patch has been applied:

do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=userHAHAHA,cn=DIGEST-MD5,cn=auth
==>slap_sasl2dn: converting SASL name 
uid=userHAHAHA,cn=DIGEST-MD5,cn=auth to a DN
==> rewrite_context_apply [depth=1] 
string='uid=userHAHAHA,cn=DIGEST-MD5,cn=auth'
==> rewrite_rule_apply 
rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth' 
string='uid=userHAHAHA,cn=DIGEST-MD5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] 
res={0,'ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA)'}
slap_parseURI: parsing 
ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA)
ldap_url_parse_ext(ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA))
put_filter: "(userLogin=userHAHAHA)"
put_filter: simple
put_simple_filter: "userLogin=userHAHAHA"

note, the userLogin attribute is defined using octetString-Syntax and 
thus is compared case sensitive

Prev by Date: Re: (ITS#6915) memberof+accesslog duplicate reqStart
Next by Date: Re: (ITS#6900) dnattr acl statement: users can produce dangling entries
Index(es):
- Chronological
- Thread