The ide was to provide an alternate DN, but maybe it does not work the way I thought. I saw this example in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3c96b56d-d7a7-46f1-9883-7d031f9fa01e: F=John Smith+F=David Jones, OU=Users,DC=Fabrikam,DC=com
Kind regards, Ulrich Windl > -----Original Message----- > From: Ondřej Kuzník <on...@mistotebe.net> > Sent: Tuesday, April 29, 2025 11:49 AM > To: Windl, Ulrich <u.wi...@ukr.de> > Cc: openldap-technical@openldap.org > Subject: [EXT] Re: Match certificate subject with escaped characters using > olcAuthzRegexp > > On Tue, Apr 29, 2025 at 09:18:09AM +0000, Windl, Ulrich wrote: > > Hi! > > > > Trying to match the (som,e experimental) certificate subject to assign it > LDAP users, I have some problems: > > Escaping of the subject seems to make regexp matching even harder. > > For example > > "CN = "uid=windl+email=u.wi...@ukr.de", GN = Ulrich, SN = Windl" (as > > displayed by OpenSSL) is converted to > > > "dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3du.wi...@ukr.de > " > > > > As I understand it uid=windl+email=u.wi...@ukr.de" and > > email=u.wi...@ukr.de+uid=windl" would be equivalent. > > Matching with olcAuthzRegexp is done on a normalised DN, so only one of > these will ever be passed in (during normalisation the case is usually > folded, nonprintable characters escaped, multivalued rDNs sorted, ...), > in your example above I would think it's the latter that you will be > matching against. > > If you find that's not the case it would indicate a bug. > > BTW CN = "uid=windl+email=u.wi...@ukr.de", GN = Ulrich, SN = Windl is > not using a multivalued rDN anywhere, there is only a cn attribute with > a value of "uid=windl+email=u.wi...@ukr.de" in your example... > > Regards, > > -- > Ondřej Kuzník > Senior Software Engineer > Symas Corporation http://www.symas.com > Packaged, certified, and supported LDAP solutions powered by OpenLDAP
