[pubcookie-users] ldap_verify code question
schwoerb at doit.wisc.edu
Thu Feb 9 10:20:32 PST 2006
We (Univ of Wisc-Madison) use the LDAP verifier in Production with no
problems. Someone can correct me if I am wrong but the stripping of the
@part is an option, try setting (trim_username_to_atsign: 0) in your config.
At least when I set that in my dev env and put the user at somewhere.edu it
shows that the ldapsearch string is using that.
As far as the request to do (|(xyz=%s)((zzz=%s)) that is not supported as I
went through the code. I am sure the most qualified person to hackishly add
it will be Jon Miner.
On 2/9/06 10:34 AM, "Konstantin Ryabitsev" <icon at fedoraproject.org> wrote:
> Dourty, Brian R. (IATS) wrote:
>> Has anyone attempted to fix either of these problems yet? The
>> substitution code seems to be in the ldap_verify.c code. I haven't
>> tracked down the @domain problem yet.
> Hi, Brian:
> The ldap verifier is really rather hackishly written. We are having the
> same problem with @mcgill.ca bit being removed, since first.last itself
> is not necessarily unique (e.g. first.last at alumni.mcgill.ca and
> first.last at mcgill.ca will have the same cn=first.last, but we only care
> about the first.last at mcgill.ca, not about alumni). There are some other
> issues with it, too, like code quality and robustness.
> I don't think it's a very widely used verifier, which would explain why
> it's not very robust.
More information about the pubcookie-users