[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP goes too deep with regex's (ITS#2174)




--On Monday, November 11, 2002 6:54 PM +0100 Pierangelo Masarati 
<ando@sys-net.it> wrote:

>
>
>> I'm not quite sure on what you mean that the match is unique.  All that
>> really needs to be known, is that the GSSAPI bit matches one of the two
>> entries.  So, if it matches the data in krb5PrincipalName, it doesn't
>> matter what is in suKrb5name, because this search was then a success.
>
> I mean: when mapping auth tokens to DNs you want the mapping
> to be unique, otherwise your regex is definitely flawed and
> you might incur in real security problems.  So a successful
> search is expected to return EXACTLY ONE entry.  This is my
> opinion, at least.
>
> Pierangelo.

Pierangelo,

This is correct.  Now, lets look at the fact that I have the following K5 
Principals:
quanah@stanford.edu
quanah/root@stanford.edu
quanah/admin@stanford.edu

Since krb5PrincipalName is a single-valued attribute, I cannot represent 
all 3 of these in the basic K5 schema.  So, we also have suKrb5Name.  So, 
my person entry could contain:

krb5PrinciplName=quanah@stanford.edu
suKrb5Name=quanah/root@stanford.edu
suKrb5Name=quanah/admin@stanford.edu

So, depending on which TGT I bind as, I am still only going to ever get 
EXACTLY ONE entry.  But, it should STOP searching when it gets that ONE 
entry.  Instead it keeps searching. :)

--Quanah




--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html