[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP goes too deep with regex's (ITS#2174)



> Full_Name: Quanah Gibson-Mount
> Version: 2.1.8
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (171.64.19.82)
>
>
> When using a sasl-regexp of the form:
>
> sasl-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth
> ldaps://cn=People,dc=stanford,dc=edu??sub?(|(krb5PrinicipalName=$1@$2)(suKrb5name=$1@$2))
>
> I found that even though
> a) suKrb5name wasn't in an entry and
> b) the information was looking for was in krb5PrincipalName
>
> slapd would still continue to look for the suKrb5Name attribute, even
> after getting a successful match at krb5PrincipalName.
>
> This really violates the purpose of an OR statement, and greatly
> decreases the efficiency of slapd.

Correct if I'm wrong, but in this case there is also the need
to assess that the match is unique, which defeats the performance
issue.  Comments?

Pierangelo.


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it