[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking authzTo case-sensitive



> Michael Ströder wrote:
>> HI!
>>
>> checking a DN sent by proxy authorization control against authzTo seems
>> to be case-sensitive. Or better said: DNs in the attribute value of
>> authzTo must be lower-cased to make matching work.
>>
>> Is that by purpose?
>
> Well, OpenLDAP introduced a specific syntax for authzTo/authzFrom which
> parses the values and validates/compares them accodring to the contents.
>   The DN portion is usually compared by means of the dnMatch function,
> which takes care of case as appropriate for each AVA pair.

Partial correction: authz syntax is enabled by default in 2.4, while in
2.3 it's still protected by an #ifdef LDAP_DEVEL.  As a consequence, yes,
any DN must be in the form it would appear after normalization.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------