[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs not quite followed when a PreBind plugin is involved (ITS#2914)

At 08:18 AM 1/9/2004, dsbroa0@aol.com wrote:
>Full_Name: Darin Broady
>Version: 2.2.4
>OS: Irix 6.5.19m & Solaris 8
>URL: ftp://ftp.openldap.org/incoming/DarinBroady-040109.patch
>Submission from: (NULL) (
>I have written a PreBind plugin that will allow us to use native Solaris LDAP
>pam_ldap with our OpenLDAP server.  Everything was going well until I put in an
>ACL that denied access to the server through the following:
>access to dn.exact="cn=testing,o=dept,c=us" attrs=userPassword
>     by * none
>With my PreBind plugin disabled (ie. not loaded into the executable), I found
>that this ACL worked as I expected.  However, with my PreBind plugin included, I
>found that this ACL was not being adhered to.  Knowing that this was a access
>problem, I looked through the SLAPI API to find out if there was a function that
>I could use to test AUTH access to the userPassword attribute.  I found the
>slapi_access_allowed function, but it only gives the ability to look at compare,
>search, read,& write access.

As SLAPI follows the Netscape access model, you just call slapi_access_allowed()
for compare.  (Maybe slapi_access_allowed() could be modified to map compare
to auth when called from a bind operation, but not knowing SLAPI internals, I'll
leave that to someone else to consider.)

>I could not find a function in the SLAPI API that
>allows a plugin to check for AUTH access, which means that a PreBind plugin can
>inadvertently subvert the ACLs.
>I have a small patch can a fix it.  What it does is make an AUTH-test call to
>access_allowed() on the userPassword attribute of the DN binding just before the
>PRE_BIND plugins are called.

This is inappropriate.  slapd(8) shouldn't do much before a pre-operation
plugin.  (It's called pre- because it comes before slapd(8) does it work.)

Also, I note, the assumption that the password is held in userPassword is

>This should make it so that all PRE_BIND plugins
>can not subvert the ACLs, at least for the userPassword attribute.  I have
>tested the patch and it works great for us.