Re: (ITS#5195) ssf not available during sasl bind

[hyc@symas.com]

russell-openldap@stuart.id.au wrote:
> I am trying to insist that connections during sasl auth operations are
> encrypted.  Ie, that this works:
> 
>   access to attrs=userPassword
>         by tls_ssf=128 ssf=128 anonymous auth
>         by * none
> 
> It does work for a simple bind.  But for a sasl bind it fails, and this telltale
> appears in the log:
> 
>   slapd[26499]: <= check a_authz.sai_ssf: ACL 128 > OP 0
> 
> I fixed the issue using this patch, which applies to 2.4.5, 2.3.38 and 2.3.30:

I suppose that may be a legitimate bug, but this isn't really the correct fix. 
slap_auxprop_lookup is doing an internal search, so there is no network to 
speak of. In SSF terms it would have an SSF of "infinity".

> diff -Nur openldap2.3-2.3.30/servers/slapd/sasl.c
> openldap2.3-2.3.30.new/servers/slapd/sasl.c
> --- openldap2.3-2.3.30/servers/slapd/sasl.c     2007-10-19 15:27:53.000000000
> +1000
> +++ openldap2.3-2.3.30.new/servers/slapd/sasl.c 2007-10-19 15:29:18.000000000
> +1000
> @@ -384,6 +384,7 @@
>                                 op.ors_slimit = 1;
>                                 op.ors_filter = &generic_filter;
>                                 op.ors_filterstr = generic_filterstr;
> +                               op.o_authz = conn->c_authz;
>                                 /* FIXME: we want all attributes, right? */
>                                 op.ors_attrs = NULL;
> 
> 
> 
> .
> 


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/