[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP goes too deep with regex's (ITS#2174)




--On Monday, November 11, 2002 6:41 PM +0100 Pierangelo Masarati 
<ando@sys-net.it> wrote:

>
>> Full_Name: Quanah Gibson-Mount
>> Version: 2.1.8
>> OS: Solaris 8
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (171.64.19.82)
>>
>>
>> When using a sasl-regexp of the form:
>>
>> sasl-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth
>> ldaps://cn=People,dc=stanford,dc=edu??sub?(|(krb5PrinicipalName=$1@$2)(s
>> uKrb5name=$1@$2))
>>
>> I found that even though
>> a) suKrb5name wasn't in an entry and
>> b) the information was looking for was in krb5PrincipalName
>>
>> slapd would still continue to look for the suKrb5Name attribute, even
>> after getting a successful match at krb5PrincipalName.
>>
>> This really violates the purpose of an OR statement, and greatly
>> decreases the efficiency of slapd.
>
> Correct if I'm wrong, but in this case there is also the need
> to assess that the match is unique, which defeats the performance
> issue.  Comments?
>
> Pierangelo.

Pierangelo,

I'm not quite sure on what you mean that the match is unique.  All that 
really needs to be known, is that the GSSAPI bit matches one of the two 
entries.  So, if it matches the data in krb5PrincipalName, it doesn't 
matter what is in suKrb5name, because this search was then a success.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html