Hi!
Trying to match the (som,e experimental) certificate subject to assign it LDAP users, I have some problems: Escaping of the subject seems to make regexp matching even harder. For example "CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl" (as displayed by OpenSSL) is converted to "dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3Du.windl@ukr.de"
As I understand it uid=windl+email=u.windl@ukr.demailto:uid=windl+email=u.windl@ukr.de" and email=u.windl@ukr.demailto:uid=windl+email=u.windl@ukr.de+uid=windl" would be equivalent.
So when I want to match just the uid part I could use "uid\3D([^,]+)", but that would include "\2Bemail\3Du...". If I'd use uid\3D([^,]+)", instead, any escaped character inside the uid would terminate the match.
How do the experts handle it? Use very simplistic CNs in certificates?
Kind regards, Ulrich Windl
On Tue, Apr 29, 2025 at 09:18:09AM +0000, Windl, Ulrich wrote:
Hi!
Trying to match the (som,e experimental) certificate subject to assign it LDAP users, I have some problems: Escaping of the subject seems to make regexp matching even harder. For example "CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl" (as displayed by OpenSSL) is converted to "dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3Du.windl@ukr.de"
As I understand it uid=windl+email=u.windl@ukr.de" and email=u.windl@ukr.de+uid=windl" would be equivalent.
Matching with olcAuthzRegexp is done on a normalised DN, so only one of these will ever be passed in (during normalisation the case is usually folded, nonprintable characters escaped, multivalued rDNs sorted, ...), in your example above I would think it's the latter that you will be matching against.
If you find that's not the case it would indicate a bug.
BTW CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl is not using a multivalued rDN anywhere, there is only a cn attribute with a value of "uid=windl+email=u.windl@ukr.de" in your example...
Regards,
openldap-technical@openldap.org
-
Ondřej Kuzník -
Windl, Ulrich