[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4744) Bug in SASL authzTo validation using an ldap:// rule

Full_Name: Sylvain Viollon
Version: 2.3
OS: FreeBSD 5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I have an directory with some users in ou=people,dc=pilotsystems,dc=net branch,
having a custom class krbUser ; and a user (cn=auth,dc=pilotsystems,dc=net)
having the following attribute :

authzTo: ldap:///ou=people,dc=pilotsystems,dc=net??sub?(objectClass=krbUser)

He can successfully authenticate, but not become an user listed by the search
(with PROXYAUTHZ). Running slapd in debug-mode I saw that he can only become the
last user returned by the search.

In source, I read the file 'servers/slapd/saslauthz.c'. The filter
'sasl_sc_smatch' said if the wanted user is in the search result. In this
function, there is a test :

       if ( sm->match == 1 ) {
                sm->match = -1;
                return 0;

I have removed the line :

                sm->match = -1;

Which make the match to fail if there is an entry in the search return after the
good one. Like every DN have to be unique, there is no multiple solution, and
validation would not be discarded for that. I didn't know if it's a good
solution, but it's work.

Openldap 2.2 and 2.4 seems to have the same problem.