[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl-regexp proper behavior?

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Quanah Gibson-Mount

> I recently had bad data in my directory (oops) that had would
> return 2
> results to the sasl-regexp query for what bind DN to map a user to.
> Other than this being a shot myself in the foot scenario, I'm
> curious about:
> What is the current behavior when this happens? Would the entity get
> assigned the first DN returned?

No. That would be insecure.

> What should the correct behavior be?  From the literature,
> sasl-regexp
> should be a 1-1 mapping.  So in a case like this when two results are
> returned, should the entity be mapped to a DN at all?  Or would it be
> better to return an error?

No mapping is done. The server requires that one-and-only-one entry matches
the regexp, otherwise the mapping step fails and the input DN is unchanged.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support