Daniel Pluta wrote:
Howard Chu wrote:
> daniel at pluta.biz wrote:
>> Please also have a look into the might be related patch, submitted in
>> ITS#6912 which addresses normalization of auth(c|z)Id of the form
>> "u:xxx" in general. Thank you very much.
> I see no bug here. The backslash was properly escaped, using the normal
> escaping rules for LDAP DNs.
Yeah, you are right, but ... ;-)
... I'm perhaps too. So please let me try to explain:
The backslash is syntactically correct escaped (under the assumtion that
the string is indeed a "LDAP DN").
In my opinion authz-regexp (a slapd-config-statement string) completely
or partly does not always represent a "LDAP DN". It's quite often more
or less a combination of
LDAP URI + optional regex + its optional expansions
which probably should not be treated in general (especially in regard to
normalization) like a LDAP DN.
This has led me to the submitted patch in ITS#6912 where I assume that
in contrast to authDN-normalization, the normalization of authIDs
(u:xxxx) in general is probably quite problematic, too...
I'm aware that LDAP DNs need to be normalized in general, but I do not
understand why authcIDs or authz-regexp-expansions should need to be
normalized in general, too.
The authz-regexp expansion does not "need" to be normalized. But it is
DN, and that DN is normalized before any further processing, so if you want to
match it, you must use the proper normalized string in your regexp: use "\\5C"
instead of "\\".
Next time send your usage questions to the -technical mailing list. This ITS
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/