ldap backend - krbPrincipalName substring search

Michael Ströder michael at stroeder.com
Tue Apr 7 08:43:56 EDT 2015


Paul B. Henson wrote:
>> From: Michael Ströder
>> Sent: Monday, April 06, 2015 6:47 AM
>>
>> 1. Make sure to be aware of this schema declaration bug:
>> http://krbdev.mit.edu/rt/Ticket/Display.html?id=8150
>
> Hmm, looks like Greg just replied to that bug? What is the expected failure?
> Would the index be ignored and entries be found, but at the cost of a full
> scan? Or would the index be invalid and result in the entries not being
> found at all?

Yes, and he's right that it currently works. I'm still analyzing the wording 
in RFC 4517 regarding ASN.1 types of attribute values for which 
caseIgnoreIA5SubstringsMatch or caseIgnoreSubstringsMatch are applicable.

>> 2. OpenLDAP's "not indexed" messages do not mean that you should enable
>> indexing without first analyzing the search request sent.
>
> Understood; part of my analysis is figuring out what Kerberos functionality
> might avail of that index :).

Also take into account these configuration directives:
index_substr_if_minlen
index_substr_if_maxlen
index_substr_any_len
index_substr_if_maxlen value
index_substr_any_step

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150407/63079904/attachment-0001.bin


More information about the Kerberos mailing list