[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL, slapd internal searches

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>, "'Igor Brezac'" <igor@ipass.net>
Subject: RE: SASL, slapd internal searches
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sat, 8 Mar 2003 16:46:15 -0800
Cc: "'Pierangelo Masarati'" <ando@sys-net.it>, <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <5.2.0.9.0.20030308085242.024def80@127.0.0.1>

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> At 08:25 AM 3/8/2003, Igor Brezac wrote:

> >> I did not study your changes; however, I think you should ensure
> >> that authz code does have the necessary auth permissions, such
> >> that an administrator is given the possibility to control how
> >> the auth/authz process takes place, and to inhibit some forms of
> >> it by means of ACL.  I think this is the spirit of the auth
> >> permission level.

> >It is important that ACLs be applied to the resulting DN of
> the internal
> >search. However, saslauthz is more complicated than
> sasl-regex because
> >sasl-regex is setup by the administrator; on the other hand
> saslAuthz*
> >attribs are normally managed by users.  If a root-privileged
> operations
> >are allowed, saslAuthzTo can easily be abused.  I wonder if a special
> >saslAuthz acl can be implemented?

The docs already recommend that saslAuthzTo only be writable by privileged
users. The easiest thing to do is "access to attr=saslAuthzTo by * auth" and
only let the rootDN write it.
>
> The internal authentication/authorization searching, as with all
> other authentication/authorization access, should be done anonymously
> but require "auth" not "search"/"read".  This allows the administrator
> have complete control over which values in the directory are to be
> used for authentication/authorization purposes.

Yes. Where specific values are requested, such as slap_sasl_checkpass, AUTH
access is explicitly checked. This is not the issue though; the problem is
that a normal backend search is done in the first place, and this search
requires anonymous SEARCH access in order to locate any entry. Additionally,
when evaluating a search in a sasl-regexp map, test_filter() requires SEARCH
access to each of the attributes in the filter. Since these searches are
administrative, configured by the admin in the first place, I believe they
should always be unrestricted. Otherwise it requires you to set ACLs that
give anonymous SEARCH access to entries and various attributes.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: SASL, slapd internal searches
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: SASL, slapd internal searches
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: SASL, slapd internal searches
Next by Date: RE: SASL, slapd internal searches
Index(es):
- Chronological
- Thread