https://bugs.openldap.org/show_bug.cgi?id=9495
Issue ID: 9495
Summary: authz-regexp using dn: instead of a URI mangles
characters with HTML excapes
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Trying to use an authz-regexp that maps directly to dn-s by using "dn:..."
instead of a URI results in the authz id having some characters "html escaped".
As a result the authorized entity cannot be found.
E.g. a "-U cn=Barbara Jensen,ou=Information Technology Division"
with
olcAuthzRegexp: "^uid=([^,]+),.*" "dn:$1,ou=people,dc=example,dc=com"
fails. Debug logs show that the equal and the comma character return from
ldap_bv2dn() in escaped forms, that are then substituted into the target dn and
result in a dn that does not exist in the DIT.
6046d7cd SASL Canonicalize [conn=1113]: authcid="cn=Barbara
Jensen,ou=Informatio
n Technology Division"
6046d7cd slap_sasl_getdn: conn 1113 id=cn=Barbara Jensen,ou=Information
Technolo
gy Division [len=52]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=cn\3DBarbara Jensen\2Cou\3DInformation Technology
Division,cn=PLAIN,cn=auth)=0
6046d7cd slap_sasl_getdn: u:id converted to uid=cn\3DBarbara
Jensen\2Cou\3DInformation Technology Division,cn=PLAIN,cn=auth
...
6046d7cd send_ldap_result: err=49 matched="" text="SASL(-13): user not found:
Password verification failed"
I suspect that when the "dn:..." form is used with authz-regexp the supplied
authzid should _not_ have it's characters canonicalized because they will not
be substituted into a URI. If so, this would be a bug. If not, there should
be documentation on the restrictions on what characters can be used in authzid
when the "dn:..." form is used.
Tested against HEAD of master, although the version in the bug report is 2.5.
See also Bug# 6912.
--
You are receiving this mail because:
You are on the CC list for the issue.
