[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP goes too deep with regex's (ITS#2174)




> I'm not quite sure on what you mean that the match is unique.  All that
> really needs to be known, is that the GSSAPI bit matches one of the two
> entries.  So, if it matches the data in krb5PrincipalName, it doesn't
> matter what is in suKrb5name, because this search was then a success.

I mean: when mapping auth tokens to DNs you want the mapping
to be unique, otherwise your regex is definitely flawed and
you might incur in real security problems.  So a successful
search is expected to return EXACTLY ONE entry.  This is my
opinion, at least.

Pierangelo.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it