[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl authz 'dn:' type normalization (ITS#2852)

> Is this approach really necessary? Can we just defer the dnNormalize
> until after the regexp has been expanded?

No, in this case no DN expansion takes place, because
it's not a sort of sasl-regexp operation (i.e. a mapping)
but rather a match in ACL style (i.e. a DN is tried
against a regualr expression to see whether it matches
or not).

I came out with a more elaborate solution, respectful
of current stuff and with better semantics (mutuated from


is not normalized, and used as input to regcomp() to
compare against assertedDN;


is an explicit version of the above


is an explicit DN which must pass normalization
and exact match.  I think this is the least useful,
but at last we don't have to apply a regex to
strings that require exact match, and we preserve
the original behavior of applying regex to "dn:"
style saslAuthz* strings.  I'm in favour of deprecating
their use, and recommend the use of "dn.regex:" or
"dn.exact:" for better performance and semantics.

I'll commit the patch in a moment.


Pierangelo Masarati