[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authz-regexp matches twice on same dse (ITS#4698)

Pierangelo Masarati wrote:

> I don't see an error in OpenLDAP software here.  authz regexp matching is
> designed to succeed only if the identity is univoquely resolved to exactly one
> DN.  I'm afraid but I cannot even imagine how slapd could decide to pick one out
> of many DNs when authenticating a user; I guess noone else can.
> p.

Matched dn's are unique, as they describing the same Entry:

dn: uid=works,dc=example,dc=org
objectClass: extensibleObject
uid: works

dn: cn=worksalso,dc=example,dc=org
objectClass: extensibleObject
cn: worksalso

dn: uid=fails,dc=example,dc=org
objectClass: extensibleObject
uid: fails
cn: fails

"(|(cn=works)(uid=works))" and "(|(cn=worksalso)(uid=worksalso))" matching
either attribute, whereas "(|(cn=works)(uid=works))" matches twice, but
describes the same object.

ldapsearching for "(|(cn=fails)(uid=fails))" will also return only the one
and unique entry "uid=fails,dc=example,dc=org"