Full_Name: authz-regex dnNormalize() filter expression with matching rule assertion Version: HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:4ca0:0:fe00:200:5efe:81bb:f4c) We tried to support/implement case-sensitive logins using SASL DIGEST-MD5. Imagine the following partial authz-regexp statement: ldap:///ou=users,ou=eecbcs.de,dc=foo,dc=bar??one?(uid:caseExactMatch:=$1) During "dnNormalize" the uid is transformed into lowercase which cause the caseExactMatch to fail: SASL [conn=1010] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=user1HAHA,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=user1HAHA,cn=DIGEST-MD5,cn=auth> <<< dnNormalize: <uid=user1HAHA,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=user1HAHA,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=user1HAHA,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth' string='uid=user1HAHA,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=users,ou=eecbcs.de,dc=foo,dc=bar??one?(uid:caseExactMatch:=user1haha)'}
this micro-patch "works for me": ftp://ftp.openldap.org/incoming/Daniel-Pluta-110424.patch Disclaimer: I don't know the details regarding the need for normalization but ... ... to my current knowledge and opposed to authDNs, there's no need to normalize authcIDs at all? slapd's behaviour before the patch: do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=1001] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=userHAHAHA,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=userHAHAHA,cn=DIGEST-MD5,cn=auth> <<< dnNormalize: <uid=userhahaha,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=userhahaha,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=userhahaha,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth' string='uid=userhahaha,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha)'} slap_parseURI: parsing ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha) ldap_url_parse_ext(ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha)) put_filter: "(userLogin=userhahaha)" slapd's behaviour after the patch has been applied: do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=userHAHAHA,cn=DIGEST-MD5,cn=auth ==>slap_sasl2dn: converting SASL name uid=userHAHAHA,cn=DIGEST-MD5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=userHAHAHA,cn=DIGEST-MD5,cn=auth' ==> rewrite_rule_apply rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth' string='uid=userHAHAHA,cn=DIGEST-MD5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA)'} slap_parseURI: parsing ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA) ldap_url_parse_ext(ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA)) put_filter: "(userLogin=userHAHAHA)" put_filter: simple put_simple_filter: "userLogin=userHAHAHA" note, the userLogin attribute is defined using octetString-Syntax and thus is compared case sensitive
In case authcIDs do not need to be normalized, this seems to be a better place to disable normalization: ftp://ftp.openldap.org/incoming/Daniel-Pluta-110502.patch Now authzIDs of the form "u:xxxx" are also affected.
changed notes moved from Incoming to Software Bugs
has patch specification failure on what to do in this case
changed notes moved from Software Bugs to Incoming
Created attachment 621 [details] daniel-pluta-2011-04-24.patch From FTP server
Created attachment 622 [details] daniel-pluta-2011-05-02.patch
Comment on attachment 621 [details] daniel-pluta-2011-04-24.patch Patches must be applied together
no.