[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP goes too deep with regex's (ITS#2174)
--On Monday, November 11, 2002 6:54 PM +0100 Pierangelo Masarati
<ando@sys-net.it> wrote:
>
>
>> I'm not quite sure on what you mean that the match is unique. All that
>> really needs to be known, is that the GSSAPI bit matches one of the two
>> entries. So, if it matches the data in krb5PrincipalName, it doesn't
>> matter what is in suKrb5name, because this search was then a success.
>
> I mean: when mapping auth tokens to DNs you want the mapping
> to be unique, otherwise your regex is definitely flawed and
> you might incur in real security problems. So a successful
> search is expected to return EXACTLY ONE entry. This is my
> opinion, at least.
>
> Pierangelo.
Pierangelo,
This is correct. Now, lets look at the fact that I have the following K5
Principals:
quanah@stanford.edu
quanah/root@stanford.edu
quanah/admin@stanford.edu
Since krb5PrincipalName is a single-valued attribute, I cannot represent
all 3 of these in the basic K5 schema. So, we also have suKrb5Name. So,
my person entry could contain:
krb5PrinciplName=quanah@stanford.edu
suKrb5Name=quanah/root@stanford.edu
suKrb5Name=quanah/admin@stanford.edu
So, depending on which TGT I bind as, I am still only going to ever get
EXACTLY ONE entry. But, it should STOP searching when it gets that ONE
entry. Instead it keeps searching. :)
--Quanah
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html