[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP goes too deep with regex's (ITS#2174)

--On Monday, November 11, 2002 6:54 PM +0100 Pierangelo Masarati 
<ando@sys-net.it> wrote:

>> I'm not quite sure on what you mean that the match is unique.  All that
>> really needs to be known, is that the GSSAPI bit matches one of the two
>> entries.  So, if it matches the data in krb5PrincipalName, it doesn't
>> matter what is in suKrb5name, because this search was then a success.
> I mean: when mapping auth tokens to DNs you want the mapping
> to be unique, otherwise your regex is definitely flawed and
> you might incur in real security problems.  So a successful
> search is expected to return EXACTLY ONE entry.  This is my
> opinion, at least.
> Pierangelo.


This is correct.  Now, lets look at the fact that I have the following K5 

Since krb5PrincipalName is a single-valued attribute, I cannot represent 
all 3 of these in the basic K5 schema.  So, we also have suKrb5Name.  So, 
my person entry could contain:


So, depending on which TGT I bind as, I am still only going to ever get 
EXACTLY ONE entry.  But, it should STOP searching when it gets that ONE 
entry.  Instead it keeps searching. :)


Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html