Re: (ITS#6912) authz-regexp DN normalization of authcIDs - openldap-bugs

24 Apr 2011


      this micro-patch "works for me": 
ftp://ftp.openldap.org/incoming/Daniel-Pluta-110424.patch
Disclaimer: I don't know the details regarding the need for 
normalization but ...
... to my current knowledge and opposed to authDNs, there's no need to 
normalize authcIDs at all?
slapd's behaviour before the patch:
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1001] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=userHAHAHA,cn=DIGEST-MD5,cn=auth
...
...
...
dnNormalize: <uid=userHAHAHA,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=userhahaha,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name 
uid=userhahaha,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1] 
string='uid=userhahaha,cn=digest-md5,cn=auth'
==> rewrite_rule_apply 
rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth' 
string='uid=userhahaha,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] 
res={0,'ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha)'}
slap_parseURI: parsing 
ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha)
ldap_url_parse_ext(ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userhahaha))
put_filter: "(userLogin=userhahaha)"
slapd's behaviour after the patch has been applied:
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=userHAHAHA,cn=DIGEST-MD5,cn=auth
==>slap_sasl2dn: converting SASL name 
uid=userHAHAHA,cn=DIGEST-MD5,cn=auth to a DN
==> rewrite_context_apply [depth=1] 
string='uid=userHAHAHA,cn=DIGEST-MD5,cn=auth'
==> rewrite_rule_apply 
rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth' 
string='uid=userHAHAHA,cn=DIGEST-MD5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] 
res={0,'ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA)'}
slap_parseURI: parsing 
ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA)
ldap_url_parse_ext(ldap:///ou=users,dc=foo,dc=bar??one?(userLogin=userHAHAHA))
put_filter: "(userLogin=userHAHAHA)"
put_filter: simple
put_simple_filter: "userLogin=userHAHAHA"
note, the userLogin attribute is defined using octetString-Syntax and 
thus is compared case sensitive