[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL bind: no authcid->DN conversion - group ACLs do not work (ITS#891)

To: openldap-its@OpenLDAP.org
Subject: Re: SASL bind: no authcid->DN conversion - group ACLs do not work (ITS#891)
From: adamson@andrew.cmu.edu
Date: Wed, 15 Nov 2000 15:11:57 GMT

On Tue, 14 Nov 2000 gombasg@inf.elte.hu wrote:

> Full_Name: Gabor Gombas
> 
> It seems that there is a bug in the SASL authentication process: in
> servers/slapd/sasl.c, when the client did not provide an authorization
> ID (authzid == NULL), slap_sasl_authorize() does not call
> slap_sasl_authorized(). But slap_sasl_authorized() is the only place where
> the "saslregexp" definitions in slapd.conf are tested so in this case
> no rewriting takes place.
> 
> This breaks group-based ALCs since the 'member' attributes contain full DNs,
> not just 'UID=authcid' values.
> 

ACLs and member values can refer to names in the SASL namespace, they do
not have to be DN's. Run slapd in -d385 and watch what SASL name the
connection is bound as, and again in the ACL search output. Granted, this
may not be what you're looking for.

I was just talking to Kurt this week about having people authorize as
themself. That is, can someone use -X <DN>, where <DN> is the DN that the
SASL regexp code would have converted their SASL name to. The answer is
yes, people should always be able to authorize to the DN that matches
their SASL name. The entry for that DN would not need a saslAuthzFrom attr
to allow that specific case.

I will not be able to write, test, and upload this feature this week, but I
would like to do so next. Then your people would be able to use -X similar
to how they would have used -D.

  -Mark Adamson
   Carnegie Mellon

Prev by Date: Re: OpenLDAP 2.0.6 -> 2.0.7 problem (ITS#890)
Next by Date: Re: SASL bind: no authcid->DN conversion - group ACLs do not work (ITS#891)
Index(es):
- Chronological
- Thread