[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl-regexp proper behavior?

To: "'Quanah Gibson-Mount'" <quanah@stanford.edu>, <openldap-devel@OpenLDAP.org>
Subject: RE: sasl-regexp proper behavior?
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 24 Mar 2004 14:14:34 -0800
Importance: Normal
In-reply-to: <2242670900.1080121927@cadabra.stanford.edu>

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Quanah Gibson-Mount

> I recently had bad data in my directory (oops) that had would
> return 2
> results to the sasl-regexp query for what bind DN to map a user to.
>
> Other than this being a shot myself in the foot scenario, I'm
> curious about:
>
> What is the current behavior when this happens? Would the entity get
> assigned the first DN returned?

No. That would be insecure.

> What should the correct behavior be?  From the literature,
> sasl-regexp
> should be a 1-1 mapping.  So in a case like this when two results are
> returned, should the entity be mapped to a DN at all?  Or would it be
> better to return an error?

No mapping is done. The server requires that one-and-only-one entry matches
the regexp, otherwise the mapping step fails and the input DN is unchanged.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- sasl-regexp proper behavior?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: sasl-regexp proper behavior?
Next by Date: RE: checking for bound user
Index(es):
- Chronological
- Thread