Bug 526284 - error in sasl mapping
Summary: error in sasl mapping
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-server
Version: 1.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 431020
TreeView+ depends on / blocked
 
Reported: 2009-09-29 16:29 UTC by Sumit Bose
Modified: 2015-01-04 23:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 09:30:04 UTC


Attachments (Terms of Use)

Description Sumit Bose 2009-09-29 16:29:46 UTC
Description of problem:

The current SASL mappings look like this:

dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
nsSaslMapRegexString: \(.*\)@\(.*\)
cn: Full Principal
nsSaslMapBaseDNTemplate: dc=ipatest
nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20090831091015Z
modifyTimestamp: 20090831091015Z

dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
nsSaslMapRegexString: \(.*\)
cn: Name Only
nsSaslMapBaseDNTemplate: dc=ipatest
nsSaslMapFilterTemplate: (krbPrincipalName=\1@EXAMPLE.COM)
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20090831091015Z
modifyTimestamp: 20090929155624Z


and are match in an arbitrary order. If 'Name Only' is executed first it will match everything, even a principle ending with @EXAMPLE.COM. The follwing search will then fail, because @EXAMPLE.COM is added for a second time.

The following change to 'Name Only'

dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
nsSaslMapRegexString: ^[^@]+$
cn: Name Only
nsSaslMapBaseDNTemplate: dc=ipatest
nsSaslMapFilterTemplate: (krbPrincipalName=&@IPATEST)
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20090831091015Z
modifyTimestamp: 20090929155624Z

solves this, because now it only matches if no '@' is found.

It might make sense to use "nsSaslMapRegexString: ^[^:@]+$" if it is planned to use the 'u:' and 'dn:' patterns for SASL in future versions.

Comment 1 Rob Crittenden 2010-02-03 20:11:10 UTC
Fixed by Simo in master commit 4262358111fb97820915769bfdb201ad39f24d7c


Note You need to log in before you can comment on or make changes to this bug.