The ide was to provide an alternate DN, but maybe it does not work the way I thought. I saw this example in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3c96b5...: F=John Smith+F=David Jones, OU=Users,DC=Fabrikam,DC=com
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Tuesday, April 29, 2025 11:49 AM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Match certificate subject with escaped characters using olcAuthzRegexp
On Tue, Apr 29, 2025 at 09:18:09AM +0000, Windl, Ulrich wrote:
Hi!
Trying to match the (som,e experimental) certificate subject to assign it
LDAP users, I have some problems:
Escaping of the subject seems to make regexp matching even harder. For example "CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl" (as displayed by OpenSSL) is converted to
"dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3Du.windl@ukr.de "
As I understand it uid=windl+email=u.windl@ukr.de" and email=u.windl@ukr.de+uid=windl" would be equivalent.
Matching with olcAuthzRegexp is done on a normalised DN, so only one of these will ever be passed in (during normalisation the case is usually folded, nonprintable characters escaped, multivalued rDNs sorted, ...), in your example above I would think it's the latter that you will be matching against.
If you find that's not the case it would indicate a bug.
BTW CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl is not using a multivalued rDN anywhere, there is only a cn attribute with a value of "uid=windl+email=u.windl@ukr.de" in your example...
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP