[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6887) authz-regexp: backslash escaping/normalization

Howard Chu wrote:
> daniel at pluta.biz wrote:
>> Please also have a look into the might be related patch, submitted in
>> ITS#6912 which addresses normalization of auth(c|z)Id of the form
>> "u:xxx" in general. Thank you very much.
> I see no bug here. The backslash was properly escaped, using the normal
> escaping rules for LDAP DNs.

Yeah, you are right, but ... ;-)
... I'm perhaps too. So please let me try to explain:

The backslash is syntactically correct escaped (under the assumtion that 
the string is indeed a "LDAP DN").

In my opinion authz-regexp (a slapd-config-statement string) completely 
or partly does not always represent a "LDAP DN". It's quite often more 
or less a combination of

         LDAP URI + optional regex + its optional expansions

which probably should not be treated in general (especially in regard to 
normalization) like a LDAP DN.

This has led me to the submitted patch in ITS#6912 where I assume that 
in contrast to authDN-normalization, the normalization of authIDs 
(u:xxxx) in general is probably quite problematic, too...

I'm aware that LDAP DNs need to be normalized in general, but I do not 
understand why authcIDs or authz-regexp-expansions should need to be 
normalized in general, too.