Skip Menu |
 

Date: Sat, 21 Feb 2015 16:37:22 +0100
From: Michael Ströder <michael@stroeder.com>
To: krb5-bugs@mit.edu
Subject: SUBSTR caseExactSubstringsMatch in kerberos.schema
HI!

I'm looking closer at the attribute type descriptions in kerberos.schema
(schema file for OpenLDAP shipped by openSUSE package
krb5-plugin-kdb-ldap-1.13-154.2.x86_64).

For some attribute types with IA5Syntax there's defined:

SUBSTR caseExactSubstringsMatch

IMHO this is wrong. It has to be:

SUBSTR caseExactIA5SubstringsMatch

The change should not have any negative impact because substring search does
not work at all when using SUBSTR caseExactSubstringsMatch with a IA5String
syntax.

Ciao, Michael.
Download smime.p7s
application/pkcs7-signature 4.1KiB

Message body not shown because it is not plain text.

[michael@stroeder.com - Sat Feb 21 11:36:36 2015]:
Show quoted text
> The change should not have any negative impact because substring search does
> not work at all when using SUBSTR caseExactSubstringsMatch with a IA5String
> syntax.

I am unable to corroborate this assertion. With the current schema and OpenLDAP 2.4.31, I
can do something like "getprincs k*" and it appears to work, with or without an index for
krbPrincipalName. This query involves a search filter of:
(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=k*))