[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6887) authz-regexp: backslash escaping/normalization

Daniel Pluta wrote:
> Howard Chu wrote:
>> daniel at pluta.biz wrote:
>>> Please also have a look into the might be related patch, submitted in
>>> ITS#6912 which addresses normalization of auth(c|z)Id of the form
>>> "u:xxx" in general. Thank you very much.
>>
>> I see no bug here. The backslash was properly escaped, using the normal
>> escaping rules for LDAP DNs.
>>
>
> Yeah, you are right, but ... ;-)
> ... I'm perhaps too. So please let me try to explain:
>
> The backslash is syntactically correct escaped (under the assumtion that
> the string is indeed a "LDAP DN").
>
> In my opinion authz-regexp (a slapd-config-statement string) completely
> or partly does not always represent a "LDAP DN". It's quite often more
> or less a combination of
>
>           LDAP URI + optional regex + its optional expansions
>
> which probably should not be treated in general (especially in regard to
> normalization) like a LDAP DN.
>
> This has led me to the submitted patch in ITS#6912 where I assume that
> in contrast to authDN-normalization, the normalization of authIDs
> (u:xxxx) in general is probably quite problematic, too...
>
> I'm aware that LDAP DNs need to be normalized in general, but I do not
> understand why authcIDs or authz-regexp-expansions should need to be
> normalized in general, too.
>
The authz-regexp expansion does not "need" to be normalized. But it is fed a 
DN, and that DN is normalized before any further processing, so if you want to 
match it, you must use the proper normalized string in your regexp: use "\\5C" 
instead of "\\".

Next time send your usage questions to the -technical mailing list. This ITS 
is closed.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/