[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxy control does not verify existance of sasl-regex resulting dn (ITS#2965)

> On Thu, 12 Feb 2004, Pierangelo Masarati wrote:
>> > Full_Name: Igor Brezac
>> > Version: OPENLDAP_REL_ENG_2_1
>> > OS: Solaris 9
>> > URL: ftp://ftp.openldap.org/incoming/
>> > Submission from: (NULL) (
>> >
>> >
>> > Consider the following example:
>> >
>> > $ ldapwhoami -U igor -e '!authzid=u:adfasd'
>> > SASL/DIGEST-MD5 authentication started
>> > Please enter your password:
>> > SASL username: igor
>> > SASL SSF: 128
>> > SASL installing layers
>> > dn:cn=adfasd,ou=people,o=pb
>> >
>> > Where cn=adfasd,ou=people,o=pb does not exist and adfasd is a not a
>> valid id.
>> how did you set the sasl-authz-policy
>> and what's the saslAuthzTo in "igor"'s
>> entry?
> saslAuthzTo: cn=.*

I suspect this is a "feature"; we need to be able to authz
to users outside a single DSA's naming context, so, if you accept
that saslAuthzTo can map to whatever identity, you implicitly
accept authz'ing to non-existing users.  This is a(n undesirable)
side effect of using a broad saslAuthzTo.

Maybe it can be fixed by adding mure strict requirements on the
existence of the authz'd identity, at least if its naming context
is inside the directory; draft-weltman-ldapv3-proxy does not
state anything about the existence or validity of the above
identity; as a consequence, it is the responsibility of those who
set "saslAuthzTo" to ensure it does not allow invalid identities
to be assigned.  The importance of protecting it from unadvertent
or malicious setting is noted in the docs, at least in slapd.conf(5).


Pierangelo Masarati