[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP goes too deep with regex's (ITS#2174)

> This is correct.  Now, lets look at the fact that I have the following
> K5  Principals:
> quanah@stanford.edu
> quanah/root@stanford.edu
> quanah/admin@stanford.edu
> Since krb5PrincipalName is a single-valued attribute, I cannot represent
>  all 3 of these in the basic K5 schema.  So, we also have suKrb5Name.
> So,  my person entry could contain:
> krb5PrinciplName=quanah@stanford.edu
> suKrb5Name=quanah/root@stanford.edu
> suKrb5Name=quanah/admin@stanford.edu
> So, depending on which TGT I bind as, I am still only going to ever get
> EXACTLY ONE entry.  But, it should STOP searching when it gets that ONE
> entry.  Instead it keeps searching. :)

I understand your point very well, but this doesn't change
the situation at all: this is correct for you, because you
designed your directory in a clever way, but in principle
might not be.  If there'd ever be a situation where to stop
at first match is not the right choice, well, then you met it.

What you'd need in your special clever case is to have a
sizelimit of 1; unfortunately there's no way to enforce
a sizelimit via search URI (at least to my knowledge :).

One solution would be to implement a custom extension like
"x-sizelimit=<n>" (and, of course, "x-timelimit=<n>"); this
could be a good solution since in case the sizelimit is
exceeded you get an immediate return.

If the idea sounds good then feel free to submit a patch :)

Pierangelo Masarati