[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP goes too deep with regex's (ITS#2174)

To: openldap-its@OpenLDAP.org
Subject: Re: OpenLDAP goes too deep with regex's (ITS#2174)
From: ando@sys-net.it
Date: Mon, 11 Nov 2002 17:58:13 GMT


> I'm not quite sure on what you mean that the match is unique.  All that
> really needs to be known, is that the GSSAPI bit matches one of the two
> entries.  So, if it matches the data in krb5PrincipalName, it doesn't
> matter what is in suKrb5name, because this search was then a success.

I mean: when mapping auth tokens to DNs you want the mapping
to be unique, otherwise your regex is definitely flawed and
you might incur in real security problems.  So a successful
search is expected to return EXACTLY ONE entry.  This is my
opinion, at least.

Pierangelo.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Prev by Date: Re: OpenLDAP goes too deep with regex's (ITS#2174)
Next by Date: Re: OpenLDAP goes too deep with regex's (ITS#2174)
Index(es):
- Chronological
- Thread