[Date Prev][Date Next]
Re: slapd exits on processing malformed saslAuthzTo attribute (ITS#3077)
> Full_Name: Michael Glasson
> Version: 2.2.7
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (188.8.131.52)
> slapd exits when processing a saslAuthzTo attribute which is not
> formatted correctly.
> A saslAuthzTo like "uid=mg,ou=person,dc=mynym,dc=net" is processed as
> you would expect, allowing the authentication id to authorize as the
> target entry.
> A saslAuthzTo like "dn.regex:uid=.*,ou=person,dc=mynym,dc=net" is also
> processed as you would expect, allowing the authentication id to
> authorize as an entry in the target subtree.
> A saslAuthzTo like "dn.subtree:ou=person,dc=mynym,dc=net" causes slapd
> to exit immediately.
This should be legal as of 2.2.7.
> I understand that saslAuthzTo entries of forms other than "dn.regex:..."
> may not be supported, but I do not imagine that slapd should die when it
> processes an unsupported saslAuthzTo.
Cna you provide more information? A debug log at the highest level
concerning the authorization phase should help; unless the program
terminates on an assertion, a stack backtrace would also be of help.