[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL bind: no authcid->DN conversion - group ACLs do not work (ITS#891)

Full_Name: Gabor Gombas
Version: 2.x-devel
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (


It seems that there is a bug in the SASL authentication process: in
servers/slapd/sasl.c, when the client did not provide an authorization
ID (authzid == NULL), slap_sasl_authorize() does not call
slap_sasl_authorized(). But slap_sasl_authorized() is the only place where
the "saslregexp" definitions in slapd.conf are tested so in this case
no rewriting takes place.

This breaks group-based ALCs since the 'member' attributes contain full DNs,
not just 'UID=authcid' values.