slap_sasl_checkpass - why?

["Howard Chu" <hyc@highlandsun.com>]

Still staring at the SASL 2 code in slapd/sasl.c ... The slap_sasl_checkpass
function doesn't make a lot of sense to me. The checkpass callback is only
used when SASL is validating a plaintext password. In the context of slapd,
this can only happen when someone performs a simple bind, and their
userPassword attribute contains "{SASL}my-username". So, we've already
specified a valid LDAP DN, looked it up, and found that its password should
be retrieved from SASL. Now we're going to take that SASL username, and ask
it to be transformed into a valid LDAP DN, look for that DN's userPassword
attribute, and try to validate the given credentials.

   ????

If you want to do a simple bind, why not just stick the actual password in
your userPassword attribute in the first place?

I suppose another way to look at it is a way to allow someone else to login
to your account using their plaintext password. Is this really a good
feature to support? (i.e., I set my LDAP entry's userPassword to include the
value {SASL}dn:someone-elses-DN and then that other DN's password becomes
valid for binding to my DN.) It's somewhat the opposite of SASL
authorization, where you bind with your own password and then operate as
someone else. Seems like a potential security hole to me, but I guess you
have to go out of your way to screw yourself with it.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support