(ITS#6887) authz-regexp: backslash escaping/normalization - openldap-bugs

2 Apr 2011


      Full_Name: Daniel Pluta
Version: 2.4.23
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:4ca0:0:fe15::1)
1.) Following authz-regexp statement looks and works fine with slapd:
authz-regexp
        uid=([^,]+)@([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth
        "ldap:///ou=users,ou=$1,dc=foo,dc=bar??one?(mail=$2)"
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=domain@user,cn=DIGEST-MD5,cn=auth
...
...
...
dnNormalize: <uid=domain@user,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=domain@user,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=domain@user,cn=digest-md5,cn=auth to a
DN
==> rewrite_context_apply [depth=1]
string='uid=domain@user,cn=digest-md5,cn=auth'
==> rewrite_rule_apply
rule='uid=([^,]+)@([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth'
string='uid=domain@user,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=user)'}
slap_parseURI: parsing
ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=user)
ldap_url_parse_ext(ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=user))
put_filter: "(mail=user)"
put_filter: simple
put_simple_filter: "mail=user"
ber_scanf fmt ({mm}) ber:
...
...
...
dnNormalize: <ou=users,ou=domain,dc=foo,dc=bar>
<<< dnNormalize: <ou=users,ou=domain,dc=foo,dc=bar>
slap_sasl2dn: performing internal search (base=ou=users,ou=domain,dc=foo,dc=bar,
scope=1)
=> hdb_search
bdb_dn2entry("ou=users,ou=domain,dc=foo,dc=bar")
=> hdb_dn2id("ou=domain,dc=foo,dc=bar")
==========================================================================
1.) Following authz-regexp where the @-separator is replaced by a -separator
seems to cause problems:
authz-regexp
        uid=([^,]+)\([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth
        "ldap:///ou=users,ou=$1,dc=foo,dc=bar??one?(mail=$2)"
Looks strange:
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=domain\5Cuser,cn=DIGEST-MD5,cn=auth
...
...
...
dnNormalize: <uid=domain\5Cuser,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=domain\5Cuser,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=domain\5Cuser,cn=digest-md5,cn=auth to
a DN
==> rewrite_context_apply [depth=1]
string='uid=domain\5Cuser,cn=digest-md5,cn=auth'
==> rewrite_rule_apply
rule='uid=([^,]+)([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth'
string='uid=domain\5Cuser,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'uid=domain\5Cuser,cn=digest-md5,cn=auth'}
slap_parseURI: parsing uid=domain\5Cuser,cn=digest-md5,cn=auth
ldap_url_parse_ext(uid=domain\5Cuser,cn=digest-md5,cn=auth)
...
...
...
dnNormalize: <uid=domain\5Cuser,cn=digest-md5,cn=auth>
<<< dnNormalize: <uid=domain\5Cuser,cn=digest-md5,cn=auth>
<==slap_sasl2dn: Converted SASL name to uid=domain\5Cuser,cn=digest-md5,cn=auth
slap_sasl_getdn: dn:id converted to uid=domain\5Cuser,cn=digest-md5,cn=auth
==========================================================================
3. Just one more try to using "[\]" instead of "\"
authz-regexp
        uid=([^,]+)[\]([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth
        "ldap:///ou=users,ou=$1,dc=foo,dc=bar??one?(mail=$2)"
Looks strange too:
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=domain\5Cuser,cn=DIGEST-MD5,cn=auth
...
...
...
dnNormalize: <uid=domain\5Cuser,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=domain\5Cuser,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=domain\5Cuser,cn=digest-md5,cn=auth to
a DN
==> rewrite_context_apply [depth=1]
string='uid=domain\5Cuser,cn=digest-md5,cn=auth'
==> rewrite_rule_apply
rule='uid=([^,]+)[]([^,]+),cn=(PLAIN|LOGIN|DIGEST-MD5|CRAM-MD5),cn=auth'
string='uid=domain\5Cuser,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=5Cuser)'}
slap_parseURI: parsing
ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=5Cuser)
ldap_url_parse_ext(ldap:///ou=users,ou=domain,dc=foo,dc=bar??one?(mail=5Cuser))
put_filter: "(mail=5Cuser)"
put_filter: simple
put_simple_filter: "mail=5Cuser"
ber_scanf fmt ({mm}) ber:
...
...
...
dnNormalize: <ou=users,ou=domain,dc=foo,dc=bar>
<<< dnNormalize: <ou=users,ou=domain,dc=foo,dc=bar>
slap_sasl2dn: performing internal search (base=ou=users,ou=domain,dc=foo,dc=bar,
scope=1)