Hi!
Trying to match the (som,e experimental) certificate subject to assign it LDAP users, I have some problems: Escaping of the subject seems to make regexp matching even harder. For example "CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl" (as displayed by OpenSSL) is converted to "dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3Du.windl@ukr.de"
As I understand it uid=windl+email=u.windl@ukr.demailto:uid=windl+email=u.windl@ukr.de" and email=u.windl@ukr.demailto:uid=windl+email=u.windl@ukr.de+uid=windl" would be equivalent.
So when I want to match just the uid part I could use "uid\3D([^,]+)", but that would include "\2Bemail\3Du...". If I'd use uid\3D([^,]+)", instead, any escaped character inside the uid would terminate the match.
How do the experts handle it? Use very simplistic CNs in certificates?
Kind regards, Ulrich Windl
On Tue, Apr 29, 2025 at 09:18:09AM +0000, Windl, Ulrich wrote:
Hi!
Trying to match the (som,e experimental) certificate subject to assign it LDAP users, I have some problems: Escaping of the subject seems to make regexp matching even harder. For example "CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl" (as displayed by OpenSSL) is converted to "dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3Du.windl@ukr.de"
As I understand it uid=windl+email=u.windl@ukr.de" and email=u.windl@ukr.de+uid=windl" would be equivalent.
Matching with olcAuthzRegexp is done on a normalised DN, so only one of these will ever be passed in (during normalisation the case is usually folded, nonprintable characters escaped, multivalued rDNs sorted, ...), in your example above I would think it's the latter that you will be matching against.
If you find that's not the case it would indicate a bug.
BTW CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl is not using a multivalued rDN anywhere, there is only a cn attribute with a value of "uid=windl+email=u.windl@ukr.de" in your example...
Regards,
The ide was to provide an alternate DN, but maybe it does not work the way I thought. I saw this example in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3c96b5...: F=John Smith+F=David Jones, OU=Users,DC=Fabrikam,DC=com
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Tuesday, April 29, 2025 11:49 AM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Match certificate subject with escaped characters using olcAuthzRegexp
On Tue, Apr 29, 2025 at 09:18:09AM +0000, Windl, Ulrich wrote:
Hi!
Trying to match the (som,e experimental) certificate subject to assign it
LDAP users, I have some problems:
Escaping of the subject seems to make regexp matching even harder. For example "CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl" (as displayed by OpenSSL) is converted to
"dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3Du.windl@ukr.de "
As I understand it uid=windl+email=u.windl@ukr.de" and email=u.windl@ukr.de+uid=windl" would be equivalent.
Matching with olcAuthzRegexp is done on a normalised DN, so only one of these will ever be passed in (during normalisation the case is usually folded, nonprintable characters escaped, multivalued rDNs sorted, ...), in your example above I would think it's the latter that you will be matching against.
If you find that's not the case it would indicate a bug.
BTW CN = "uid=windl+email=u.windl@ukr.de", GN = Ulrich, SN = Windl is not using a multivalued rDN anywhere, there is only a cn attribute with a value of "uid=windl+email=u.windl@ukr.de" in your example...
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
On Mon, May 05, 2025 at 07:42:01AM +0000, Windl, Ulrich wrote:
The ide was to provide an alternate DN, but maybe it does not work the way I thought. I saw this example in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3c96b5...: F=John Smith+F=David Jones, OU=Users,DC=Fabrikam,DC=com
Hi Ulrich, that example is contrary to RFC4512 section 2.2 around the end[0].
Actually if you read the link you provided, AD's own implementation is much stricter and doesn't support multivalued rDNs at all and the example you give is specifically listed as "disallowed"!
[0]. https://www.rfc-editor.org/rfc/rfc4512#section-2.2
Regards,
Hi!
Unfortunately the RFC does not really give an example of using multiple AVAa in an RDN; it just states:
" This relative name, known as its Relative Distinguished Name (RDN) [X.501], is composed of an unordered set of one or more attribute value assertions (AVA) consisting of an attribute description with zero options and an attribute value. These AVAs are chosen to match attribute values (each a distinguished value) of the entry."
And the other question is how multiple AVAs will be ordered to allow an AuthRegexp to match them.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Tuesday, May 6, 2025 11:50 AM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Re: Match certificate subject with escaped characters using olcAuthzRegexp
On Mon, May 05, 2025 at 07:42:01AM +0000, Windl, Ulrich wrote:
The ide was to provide an alternate DN, but maybe it does not work the
way I thought.
I saw this example in https://learn.microsoft.com/en-
us/openspecs/windows_protocols/ms-adts/3c96b56d-d7a7-46f1-9883- 7d031f9fa01e:
F=John Smith+F=David Jones, OU=Users,DC=Fabrikam,DC=com
Hi Ulrich, that example is contrary to RFC4512 section 2.2 around the end[0].
Actually if you read the link you provided, AD's own implementation is much stricter and doesn't support multivalued rDNs at all and the example you give is specifically listed as "disallowed"!
[0]. https://www.rfc-editor.org/rfc/rfc4512#section-2.2
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
On Tue, May 06, 2025 at 12:19:37PM +0000, Windl, Ulrich wrote:
Hi!
Unfortunately the RFC does not really give an example of using multiple AVAa in an RDN; it just states:
Hi, you are allowed to do what you want so long as no rDN uses the same attribute more than once. You got the rDN syntax right otherwise.
" This relative name, known as its Relative Distinguished Name (RDN) [X.501], is composed of an unordered set of one or more attribute value assertions (AVA) consisting of an attribute description with zero options and an attribute value. These AVAs are chosen to match attribute values (each a distinguished value) of the entry."
And the other question is how multiple AVAs will be ordered to allow an AuthRegexp to match them.
Yes, and if you go over the history I have answered this question before:
The DN is normalised by OpenLDAP, sorting AVAs in each rDN including case-folding/(un)escaping etc. as needed. That's the DN you get as input when olcAuthzRegexp is processed. The normalisation function is designed so that two DNs are equivalent if and only if it produces an identical string.
Regards,
openldap-technical@openldap.org
-
Ondřej Kuzník -
Windl, Ulrich