[Date Prev][Date Next]
SASL bind: no authcid->DN conversion - group ACLs do not work (ITS#891)
Full_Name: Gabor Gombas
OS: AIX 22.214.171.124
Submission from: (NULL) (126.96.36.199)
It seems that there is a bug in the SASL authentication process: in
servers/slapd/sasl.c, when the client did not provide an authorization
ID (authzid == NULL), slap_sasl_authorize() does not call
slap_sasl_authorized(). But slap_sasl_authorized() is the only place where
the "saslregexp" definitions in slapd.conf are tested so in this case
no rewriting takes place.
This breaks group-based ALCs since the 'member' attributes contain full DNs,
not just 'UID=authcid' values.