[Date Prev][Date Next] [Chronological] [Thread] [Top]

ITS#2602 EXTERNAL authentication : certificate dn mismatch

To: openldap-its@OpenLDAP.org
Subject: ITS#2602 EXTERNAL authentication : certificate dn mismatch
From: hyc@symas.com
Date: Sat, 15 Nov 2003 07:13:24 GMT

I am unable to reproduce this error using the current OpenLDAP 2.1 code on
Linux.

>From my slapd.conf:
####
sasl-regexp cn=(.*),ou=.*,.* ldap:///o=Symas%20Corp.,c=US??sub?(cn=$1)

access to *
        by group.base="cn=foo,o=symas corp.,c=us" write
        by * read

database        bdb
#ldbm#cachesize 0
suffix          "o=Symas Corp.,c=US"
directory       ./test-db
index           objectClass     eq
index           cn,sn,uid       pres,eq,sub
####

Here's my certificate DN. The DN is in ISO8859-1.

 Subject: C=US, ST=California, L=Los Angeles, O=Symas Corporation, OU=Secret
Research Labs, CN=\xC3lpha \xC3\xE6ro.

The slapd normalizer turns it into UTF-8:

TLS trace: SSL_accept:SSLv3 flush data
=> ldap_dn2bv(16)
<= ldap_dn2bv(cn=\C3\A3lpha \C3\A3\C3\A6ro,ou=secret research labs,o=symas
corporation,l=los angeles,st=california,c=us,16)=0

Here's the cn=foo group:

dn: cn=foo,o=symas corp.,c=us
objectclass: groupOfNames
cn: foo
member:: Y249w4NscGhhIMODw6ZybyxvPVN5bWFzIENvcnAuLGM9VVM=

Note that the member is base64-encoded UTF-8. None of its contents are
hex-escaped.

do_sasl_bind: dn () mech EXTERNAL
==> sasl_bind: dn="" mech=EXTERNAL datalen=0
SASL Canonicalize [conn=0]: authcid="cn=\C3\A3lpha \C3\A3\C3\A6ro,ou=secret
research labs,o=symas corporation,l=los angeles,st=california,c=us"
slap_sasl_getdn: id=cn=\C3\A3lpha \C3\A3\C3\A6ro,ou=secret research
labs,o=symas corporation,l=los angeles,st=california,c=us [len=105]
==>slap_sasl2dn: converting SASL name cn=\C3\A3lpha \C3\A3\C3\A6ro,ou=secret
research labs,o=symas corporation,l=los angeles,st=california,c=us to a DN
slap_sasl_regexp: converting SASL name cn=\C3\A3lpha \C3\A3\C3\A6ro,ou=secret
research labs,o=symas corporation,l=los angeles,st=california,c=us
slap_sasl_regexp: converted SASL name to
ldap:///o=Symas%20Corp.,c=US??sub?(cn=\C3\A3lpha \C3\A3\C3\A6ro)
slap_parseURI: parsing ldap:///o=Symas%20Corp.,c=US??sub?(cn=\C3\A3lpha
\C3\A3\C3\A6ro)
ldap_url_parse_ext(ldap:///o=Symas%20Corp.,c=US??sub?(cn=\C3\A3lpha
\C3\A3\C3\A6ro))
put_filter: "(cn=\C3\A3lpha \C3\A3\C3\A6ro)"
put_filter: simple
put_simple_filter: "cn=\C3\A3lpha \C3\A3\C3\A6ro"

Note that the directroy entry has UTF-8, not hex-escaped:

bdb_search_candidates: id=1 first=2 last=2
====> bdb_cache_return_entry_r( 1 ): created (0)
entry_decode: "cn=Ãlpha ÃÃ¦ro,o=Symas Corp.,c=US"
<= entry_decode(cn=Ãlpha ÃÃ¦ro,o=Symas Corp.,c=US)
====> bdb_cache_return_entry_r( 2 ): created (0)
<==slap_sasl2dn: Converted SASL name to cn=Ã£lpha Ã£Ã¦ro,o=symas corp.,c=us
getdn: dn:id converted to cn=Ã£lpha Ã£Ã¦ro,o=symas corp.,c=us
SASL Canonicalize [conn=0]: authcDN="cn=Ã£lpha Ã£Ã¦ro,o=symas corp.,c=us"
SASL Authorize [conn=0]: authcid="cn=\C3\A3lpha \C3\A3\C3\A6ro,ou=secret
research labs,o=symas corporation,l=los angeles,st=california,c=us"
authzid="cn=\C3\A3lpha \C3\A3\C3\A6ro,ou=secret research labs,o=symas
corporation,l=los angeles,st=california,c=us"
SASL Authorize [conn=0]:  authorization allowed

Here's the group ACL evaluation, which succeeds:

=> bdb_group: group ndn: "cn=foo,o=symas corp.,c=us"
=> bdb_group: op ndn: "cn=Ã£lpha Ã£Ã¦ro,o=symas corp.,c=us"
=> bdb_group: oc: "groupOfNames" at: "member"
=> bdb_group: tr ndn: "o=symas corp.,c=us"
bdb_dn2entry_rw("cn=foo,o=symas corp.,c=us")
=> bdb_dn2id( "cn=foo,o=symas corp.,c=us" )
<= bdb_dn2id: got id=0x00000003
entry_decode: "cn=foo,o=symas corp.,c=us"
<= entry_decode(cn=foo,o=symas corp.,c=us)
>>> dnNormalize: <cn=Ãlpha ÃÃ¦ro,o=Symas Corp.,c=US>
=> ldap_bv2dn(cn=Ãlpha ÃÃ¦ro,o=Symas Corp.,c=US,0)
<= ldap_bv2dn(cn=Ãlpha ÃÃ¦ro,o=Symas Corp.,c=US,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=Ã£lpha Ã£Ã¦ro,o=symas corp.,c=us,272)=0
<<< dnNormalize: <cn=Ã£lpha Ã£Ã¦ro,o=symas corp.,c=us>
dnMatch 0
        "cn=Ã£lpha Ã£Ã¦ro,o=symas corp.,c=us"
        "cn=Ã£lpha Ã£Ã¦ro,o=symas corp.,c=us"
====> bdb_cache_return_entry_r( 3 ): created (0)
bdb_group: rc=0

The hex-escaping is for display convenience and to escape reserved characters
(such as comma and semicolon). It does not affect internal comparisons.

Without further information illustrating the problem, this report will be
closed.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Prev by Date: back-bdb add.c/modify.c/modrdn.c do not report checkpoint failures (ITS#2830)
Next by Date: RE: crash in slurpd when slave not present (ITS#2810)
Index(es):
- Chronological
- Thread