[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking authzTo case-sensitive

To: "Pierangelo Masarati" <ando@sys-net.it>
Subject: Re: Checking authzTo case-sensitive
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Sat, 16 Jun 2007 15:37:18 +0200 (CEST)
Cc: openldap-software@openldap.org, Michael Ströder <michael@stroeder.com>
Importance: Normal
In-reply-to: <4672A0E0.2030800@sys-net.it>
References: <46729A2D.2010304@stroeder.com> <4672A0E0.2030800@sys-net.it>
User-agent: SquirrelMail/1.4.3a-1

> Michael Ströder wrote:
>> HI!
>>
>> checking a DN sent by proxy authorization control against authzTo seems
>> to be case-sensitive. Or better said: DNs in the attribute value of
>> authzTo must be lower-cased to make matching work.
>>
>> Is that by purpose?
>
> Well, OpenLDAP introduced a specific syntax for authzTo/authzFrom which
> parses the values and validates/compares them accodring to the contents.
>   The DN portion is usually compared by means of the dnMatch function,
> which takes care of case as appropriate for each AVA pair.

Partial correction: authz syntax is enabled by default in 2.4, while in
2.3 it's still protected by an #ifdef LDAP_DEVEL.  As a consequence, yes,
any DN must be in the form it would appear after normalization.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: Checking authzTo case-sensitive
  - From: Michael Ströder <michael@stroeder.com>

References:
- Checking authzTo case-sensitive
  - From: Michael Ströder <michael@stroeder.com>
- Re: Checking authzTo case-sensitive
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Limiting attributes through ACL
Next by Date: bdb_index_read: failed (-30989)
Index(es):
- Chronological
- Thread