Michael Ströder wrote:
HI!
checking a DN sent by proxy authorization control against authzTo seems to be case-sensitive. Or better said: DNs in the attribute value of authzTo must be lower-cased to make matching work.
Is that by purpose?
Well, OpenLDAP introduced a specific syntax for authzTo/authzFrom which parses the values and validates/compares them accodring to the contents. The DN portion is usually compared by means of the dnMatch function, which takes care of case as appropriate for each AVA pair.
Partial correction: authz syntax is enabled by default in 2.4, while in 2.3 it's still protected by an #ifdef LDAP_DEVEL. As a consequence, yes, any DN must be in the form it would appear after normalization.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------