[pubcookie-users] Re: ldap_verify code question
Dourty, Brian R. (IATS)
DourtyB at missouri.edu
Thu Feb 9 12:30:10 PST 2006
We are modifying the code to work for us. We will be happy to share once
its complete and tested. I missed the domain stripping in the docs. I
knew it wasn't part of the ldap_verify code. As far as the rest of this
thread, we use the ldap verify in production here and it works well.
Haven't had any problems with it when using a single substitution. We
just have some name collisions making multiple substitutions necessary.
> -----Original Message-----
> From: pubcookie-users-bounces at mailman1.u.washington.edu
> [mailto:pubcookie-users-bounces at mailman1.u.washington.edu] On
> Behalf Of Jon Miner
> Sent: Thursday, February 09, 2006 2:25 PM
> To: Dourty, Brian R. (IATS); Konstantin Ryabitsev
> Cc: pubcookie-users at u.washington.edu
> Subject: [pubcookie-users] Re: ldap_verify code question
> Not to be defensive, but if there are problems that you see
> with the LDAP Verifier, please either fix them or list them
> explicitly so that they can be fixed properly. Declaring it
> "hackishly written" and "not very robust" simply makes me
> want to ignore all of your comments.
> As Brad has pointed out, we use it in production here at
> Madison and handle several thousand logins per day
> (increasing every day).
> The termination of the username at "@" is done at line 694 of
> index.cgi.c and not in the LDAP verifier at all. It's
> documented in the Login CGI documentation:
> The question of having more than one %s in the search filter
> is an interesting one, and a case that never occurred to me.
> Nathan, can you add it to the "todo" list for the LDAP
> verifier? I'll try to remember it myself, but I'm not always
> so reliable. :)
> Please, if you have concrete complaints or bugs in (or about)
> the LDAP verifier, let us know.
> * Konstantin Ryabitsev (icon at fedoraproject.org) [060209 10:35]:
> > Dourty, Brian R. (IATS) wrote:
> > >Has anyone attempted to fix either of these problems yet? The
> > >substitution code seems to be in the ldap_verify.c code. I haven't
> > >tracked down the @domain problem yet.
> > Hi, Brian:
> > The ldap verifier is really rather hackishly written. We are having
> > the same problem with @mcgill.ca bit being removed, since
> > itself is not necessarily unique (e.g.
> first.last at alumni.mcgill.ca and
> > first.last at mcgill.ca will have the same cn=first.last, but we only
> > care about the first.last at mcgill.ca, not about alumni).
> There are some
> > other issues with it, too, like code quality and robustness.
> > I don't think it's a very widely used verifier, which would explain
> > why it's not very robust.
> > Regards,
> > --
> > Konstantin Ryabitsev
> > McGill University WSG
> > Kaylee: "She just did the math."
> > --Episode #14, "Objects in Space"
> > _______________________________________________
> > pubcookie-users mailing list
> > pubcookie-users at u.washington.edu
> > http://mailman1.u.washington.edu/mailman/listinfo/pubcookie-users
> .Jonathan J. Miner------------------Division of Information
> |miner at doit.wisc.edu University Of Wisconsin
> - Madison|
> |608/262.9655 Room 3146
> Computer Science|
> Statler: You know, the older I get, the more I appreciate good music.
> Waldorf: What's that got to do with what we just heard?
> Statler: Nothing, just thought I'd mention it.
> -- The Muppet Show
More information about the pubcookie-users