On Tue, Apr 29, 2025 at 09:18:09AM +0000, Windl, Ulrich wrote:
Hi!
Trying to match the (som,e experimental) certificate subject to assign it LDAP users, I have some problems: Escaping of the subject seems to make regexp matching even harder. For example "CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl" (as displayed by OpenSSL) is converted to "dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3Du.windl@ukr.de"
As I understand it uid=windl+email=u.windl@ukr.de" and email=u.windl@ukr.de+uid=windl" would be equivalent.
Matching with olcAuthzRegexp is done on a normalised DN, so only one of these will ever be passed in (during normalisation the case is usually folded, nonprintable characters escaped, multivalued rDNs sorted, ...), in your example above I would think it's the latter that you will be matching against.
If you find that's not the case it would indicate a bug.
BTW CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl is not using a multivalued rDN anywhere, there is only a cn attribute with a value of "uid=windl+email=u.windl@ukr.de" in your example...
Regards,