[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs not quite followed when a PreBind plugin is involved (ITS#2914)

Full_Name: Darin Broady
Version: 2.2.4
OS: Irix 6.5.19m & Solaris 8
URL: ftp://ftp.openldap.org/incoming/DarinBroady-040109.patch
Submission from: (NULL) (

I have written a PreBind plugin that will allow us to use native Solaris LDAP
pam_ldap with our OpenLDAP server.  Everything was going well until I put in an
ACL that denied access to the server through the following:

access to dn.exact="cn=testing,o=dept,c=us" attrs=userPassword
     by * none

With my PreBind plugin disabled (ie. not loaded into the executable), I found
that this ACL worked as I expected.  However, with my PreBind plugin included, I
found that this ACL was not being adhered to.  Knowing that this was a access
problem, I looked through the SLAPI API to find out if there was a function that
I could use to test AUTH access to the userPassword attribute.  I found the
slapi_access_allowed function, but it only gives the ability to look at compare,
search, read,& write access.  I could not find a function in the SLAPI API that
allows a plugin to check for AUTH access, which means that a PreBind plugin can
inadvertently subvert the ACLs.

I have a small patch can a fix it.  What it does is make an AUTH-test call to
access_allowed() on the userPassword attribute of the DN binding just before the
PRE_BIND plugins are called.  This should make it so that all PRE_BIND plugins
can not subvert the ACLs, at least for the userPassword attribute.  I have
tested the patch and it works great for us.