HI!
checking a DN sent by proxy authorization control against authzTo seems to be case-sensitive. Or better said: DNs in the attribute value of authzTo must be lower-cased to make matching work.
Is that by purpose?
Ciao, Michael.
Michael Ströder wrote:
HI!
checking a DN sent by proxy authorization control against authzTo seems to be case-sensitive. Or better said: DNs in the attribute value of authzTo must be lower-cased to make matching work.
Is that by purpose?
Well, OpenLDAP introduced a specific syntax for authzTo/authzFrom which parses the values and validates/compares them accodring to the contents. The DN portion is usually compared by means of the dnMatch function, which takes care of case as appropriate for each AVA pair.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Michael Ströder wrote:
HI!
checking a DN sent by proxy authorization control against authzTo seems to be case-sensitive. Or better said: DNs in the attribute value of authzTo must be lower-cased to make matching work.
Is that by purpose?
Well, OpenLDAP introduced a specific syntax for authzTo/authzFrom which parses the values and validates/compares them accodring to the contents. The DN portion is usually compared by means of the dnMatch function, which takes care of case as appropriate for each AVA pair.
Partial correction: authz syntax is enabled by default in 2.4, while in 2.3 it's still protected by an #ifdef LDAP_DEVEL. As a consequence, yes, any DN must be in the form it would appear after normalization.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
Partial correction: authz syntax is enabled by default in 2.4, while in 2.3 it's still protected by an #ifdef LDAP_DEVEL. As a consequence, yes, any DN must be in the form it would appear after normalization.
Hmm, in the mean-time I managed to get it working with 2.3.36 without "normalizing" what's added behind dn.onelevel or dn.children. Strange.
Also it behaves differently on different systems. "group:" works on openSUSE 10.2 but not on SuSE Linux 9.3. Is it highly dependent on version of libregex or similar? Still investigating it...
Ciao, Michael.
openldap-software@openldap.org
-
Michael Ströder -
Pierangelo Masarati