[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: proxy control does not verify existance of sasl-regex resulting dn (ITS#2965)



> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of ando@sys-net.it

> I suspect this is a "feature"; we need to be able to authz
> to users outside a single DSA's naming context, so, if you accept
> that saslAuthzTo can map to whatever identity, you implicitly
> accept authz'ing to non-existing users.

Yes.

> This is a(n undesirable) side effect of using a broad saslAuthzTo.
>
> Maybe it can be fixed by adding mure strict requirements on the
> existence of the authz'd identity, at least if its naming context
> is inside the directory; draft-weltman-ldapv3-proxy does not
> state anything about the existence or validity of the above
> identity; as a consequence, it is the responsibility of those who
> set "saslAuthzTo" to ensure it does not allow invalid identities
> to be assigned.  The importance of protecting it from unadvertent
> or malicious setting is noted in the docs, at least in slapd.conf(5).

It is vital that saslAuthzTo be protected i.e. such that only properly
privileged administrators can set the value. And of course the administrator
should take care that the values are suitable for the user in question. But I
don't see much harm in allowing nonexistent users to be specified. E.g. it
isn't likely that a nonexistent user will be named in ACL clauses, therefore
there's not much security exposure here.

I don't see this as broken...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support