[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP goes too deep with regex's (ITS#2174)

Full_Name: Quanah Gibson-Mount
Version: 2.1.8
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

When using a sasl-regexp of the form:

sasl-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth

I found that even though
a) suKrb5name wasn't in an entry and
b) the information was looking for was in krb5PrincipalName

slapd would still continue to look for the suKrb5Name attribute, even after
getting a successful match at krb5PrincipalName.

This really violates the purpose of an OR statement, and greatly decreases the
efficiency of slapd.