On Tue, Apr 29, 2025 at 09:18:09AM +0000, Windl, Ulrich wrote: > Hi! > > Trying to match the (som,e experimental) certificate subject to assign it > LDAP users, I have some problems: > Escaping of the subject seems to make regexp matching even harder. > For example > "CN = "uid=windl+email=u.wi...@ukr.de", GN = Ulrich, SN = Windl" (as > displayed by OpenSSL) is converted to > "dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3du.wi...@ukr.de" > > As I understand it uid=windl+email=u.wi...@ukr.de" and > email=u.wi...@ukr.de+uid=windl" would be equivalent.
Matching with olcAuthzRegexp is done on a normalised DN, so only one of these will ever be passed in (during normalisation the case is usually folded, nonprintable characters escaped, multivalued rDNs sorted, ...), in your example above I would think it's the latter that you will be matching against. If you find that's not the case it would indicate a bug. BTW CN = "uid=windl+email=u.wi...@ukr.de", GN = Ulrich, SN = Windl is not using a multivalued rDN anywhere, there is only a cn attribute with a value of "uid=windl+email=u.wi...@ukr.de" in your example... Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
