[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP goes too deep with regex's (ITS#2174)
> I'm not quite sure on what you mean that the match is unique. All that
> really needs to be known, is that the GSSAPI bit matches one of the two
> entries. So, if it matches the data in krb5PrincipalName, it doesn't
> matter what is in suKrb5name, because this search was then a success.
I mean: when mapping auth tokens to DNs you want the mapping
to be unique, otherwise your regex is definitely flawed and
you might incur in real security problems. So a successful
search is expected to return EXACTLY ONE entry. This is my
opinion, at least.
Pierangelo.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it