On Tue, May 06, 2025 at 12:19:37PM +0000, Windl, Ulrich wrote: > Hi! > > Unfortunately the RFC does not really give an example of using > multiple AVAa in an RDN; it just states:
Hi, you are allowed to do what you want so long as no rDN uses the same attribute more than once. You got the rDN syntax right otherwise. > " This > relative name, known as its Relative Distinguished Name (RDN) > [X.501], is composed of an unordered set of one or more attribute > value assertions (AVA) consisting of an attribute description with > zero options and an attribute value. These AVAs are chosen to match > attribute values (each a distinguished value) of the entry." > > And the other question is how multiple AVAs will be ordered to allow > an AuthRegexp to match them. Yes, and if you go over the history I have answered this question before: The DN is normalised by OpenLDAP, sorting AVAs in each rDN including case-folding/(un)escaping etc. as needed. That's the DN you get as input when olcAuthzRegexp is processed. The normalisation function is designed so that two DNs are equivalent if and only if it produces an identical string. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
