[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4744) Bug in SASL authzTo validation using an ldap:// rule
ando@sys-net.it wrote:
> sylvain@pilotsystems.net wrote:
>> Full_Name: Sylvain Viollon
>> Version: 2.3
>> OS: FreeBSD 5
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (83.204.228.114)
>>
>>
>>
>> I have an directory with some users in ou=people,dc=pilotsystems,dc=net branch,
>> having a custom class krbUser ; and a user (cn=auth,dc=pilotsystems,dc=net)
>> having the following attribute :
>>
>> authzTo: ldap:///ou=people,dc=pilotsystems,dc=net??sub?(objectClass=krbUser)
>>
>> He can successfully authenticate, but not become an user listed by the search
>> (with PROXYAUTHZ). Running slapd in debug-mode I saw that he can only become the
>> last user returned by the search.
>>
>> In source, I read the file 'servers/slapd/saslauthz.c'. The filter
>> 'sasl_sc_smatch' said if the wanted user is in the search result. In this
>> function, there is a test :
>>
>> if ( sm->match == 1 ) {
>> sm->match = -1;
>> return 0;
>> }
>>
>> I have removed the line :
>>
>> sm->match = -1;
>>
>> Which make the match to fail if there is an entry in the search return after the
>> good one. Like every DN have to be unique, there is no multiple solution, and
>> validation would not be discarded for that. I didn't know if it's a good
>> solution, but it's work.
>>
>>
> As far as I remember, that test is intended to prevent mapping when the
> search returns more than one entry. This makes perfectly sense,
> otherwise a SASL identity (or an authorization identity) would be
> arbitrarily mapped to one of the matching entries. So mapping is
> intended to succeed if and only if exactly one identity can be resolved.
That test is only supposed to prevent mapping when doing an authzRegexp
mapping of a single SASL userID to a DN. When looking up
authzFrom/authzTo it is supposed to allow multiple results.
Interestingly, it looks like slap_sasl_match isn't even used for
authzRegexp mapping any more. Something is definitely broken here.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/