[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authz-regexp matches twice on same dse (ITS#4698)

> Pierangelo Masarati wrote:
>> I don't see an error in OpenLDAP software here.  authz regexp matching
>> is
>> designed to succeed only if the identity is univoquely resolved to
>> exactly one
>> DN.  I'm afraid but I cannot even imagine how slapd could decide to pick
>> one out
>> of many DNs when authenticating a user; I guess noone else can.
>> p.
> Matched dn's are unique, as they describing the same Entry:
> dn: uid=works,dc=example,dc=org
> objectClass: extensibleObject
> uid: works
> dn: cn=worksalso,dc=example,dc=org
> objectClass: extensibleObject
> cn: worksalso
> dn: uid=fails,dc=example,dc=org
> objectClass: extensibleObject
> uid: fails
> cn: fails
> "(|(cn=works)(uid=works))" and "(|(cn=worksalso)(uid=worksalso))" matching
> either attribute, whereas "(|(cn=works)(uid=works))" matches twice, but
> describes the same object.
> ldapsearching for "(|(cn=fails)(uid=fails))" will also return only the one
> and unique entry "uid=fails,dc=example,dc=org"

What authz-regexp does is run an internal search.  If the search returns
exactly one entry, then there's no way it can be, say, returned twice,
otherwise it would also when running aregular search.  Moreover, I've
recrated you scenario in 2.3.27 and HEAD, and everything seems to work as
expected in all cases.  I suspect something else is wrong, for example
data in your DB is not like it appears.  Usually, guessing and expecting
is a bad practice when debugging software.  Please perform offending
operations with full logs on; check that your data is not duplicated (for
example, you might not see duplicates because they're hidden by ACLs) and
so.  Unless you can show a clear malfunction of the software (which I
don't see here) I'm inclined towards closing this ITS.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it