[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL bind: no authcid->DN conversion - group ACLs do not work (ITS#891)

To: openldap-its@OpenLDAP.org
Subject: SASL bind: no authcid->DN conversion - group ACLs do not work (ITS#891)
From: gombasg@inf.elte.hu
Date: Tue, 14 Nov 2000 17:03:00 GMT

Full_Name: Gabor Gombas
Version: 2.x-devel
OS: AIX 4.3.3.0
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (157.181.142.239)


Hello,

It seems that there is a bug in the SASL authentication process: in
servers/slapd/sasl.c, when the client did not provide an authorization
ID (authzid == NULL), slap_sasl_authorize() does not call
slap_sasl_authorized(). But slap_sasl_authorized() is the only place where
the "saslregexp" definitions in slapd.conf are tested so in this case
no rewriting takes place.

This breaks group-based ALCs since the 'member' attributes contain full DNs,
not just 'UID=authcid' values.

Gabor

Prev by Date: OpenLDAP 2.0.6 -> 2.0.7 problem (ITS#890)
Next by Date: Re: OpenLDAP 2.0.6 -> 2.0.7 problem (ITS#890)
Index(es):
- Chronological
- Thread