[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Section for admin guide on DIGEST-MD5



> -----Original Message-----
> From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk]

> While testing the effect of realms, I came across a problem in regex
> processing, which is now documented in ITS#1951: this would prevent
> the use of a regex of the form:
>
> 	cn=[^,]*,cn=digest-md5,cn=auth
>
> where the intention is to assign everything up to the first comma to a
> UID search.

The above pattern is broken anyway since the SASL DN always begins with
"uid=".

> The example from the existing admin guide uses a regex:
>
> 	uid=(.*),.*cn=auth
>
> which risks assigning more than just the uid to the search. Debugging
> such an error is hard, as the necessary information does not appear in
> the logs unless trace logging is on.

This example could be changed to
	uid=(.*),cn=.*,cn=auth

but I'm not sure I like such a lenient example being there in the first
place.
The text warns about using such a loose rule, and I would hope no one
actually
uses them.

The text you offer rolls sasl-regexp description into the DIGEST-MD5 section,
but sasl-regexp is not specific to that mechanism. This layout is misleading.

"saslRegexp" is a valid keyword but I prefer that "sasl-regexp" be used in
the guide
to keep it consistent with the other sasl config keywords.

Any example that employs non-default realms really should provide some
motivation
for using a non-default realm. It makes little sense to configure SASL with
more
than one realm if all of the users in both realms come out of an identical
LDAP
namespace. Certainly that is not how things would behave if you were still
using
sasldb. I would prefer an example where the non-default realm is mapped to a
separate DN subtree, distinct from the default case.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support