[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd gets into a spin when using {SASL} password scheme (ITS#3048

> On further reflection, this callback probably should never have been here in
> the first place. I vaguely recall the question arising on -devel a long time
> ago but I can't locate the thread at the moment. The sasl_checkpass function
> is only called for a plaintext authentication. The only possibility for that
> is doing a Simple Bind with {SASL} or doing a SASL Bind with PLAIN. In the
> Simple Bind case, we really have nothing to do here. In the SASL Bind case,
> the slapd auxprop should take care of it. I think the fix is to delete the
> slap_sasl_checkpass function and its associated code.

I'll also note that even for SASL/PLAIN, slap_sasl_checkpass() buys you
nothing unless the access control lists allow anonymous searches for
whatever part of the directory space the `sasl-regexp' evaluates to,
since at this stage the connection is still (or again) necessarily