[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4744) Bug in SASL authzTo validation using an ldap:// rule

ando@sys-net.it wrote:
> sylvain@pilotsystems.net wrote:
>> Full_Name: Sylvain Viollon
>> Version: 2.3
>> OS: FreeBSD 5
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (
>> I have an directory with some users in ou=people,dc=pilotsystems,dc=net branch,
>> having a custom class krbUser ; and a user (cn=auth,dc=pilotsystems,dc=net)
>> having the following attribute :
>> authzTo: ldap:///ou=people,dc=pilotsystems,dc=net??sub?(objectClass=krbUser)
>> He can successfully authenticate, but not become an user listed by the search
>> (with PROXYAUTHZ). Running slapd in debug-mode I saw that he can only become the
>> last user returned by the search.
>> In source, I read the file 'servers/slapd/saslauthz.c'. The filter
>> 'sasl_sc_smatch' said if the wanted user is in the search result. In this
>> function, there is a test :
>>        if ( sm->match == 1 ) {
>>                 sm->match = -1;
>>                 return 0;
>>        }
>> I have removed the line :
>>                 sm->match = -1;
>> Which make the match to fail if there is an entry in the search return after the
>> good one. Like every DN have to be unique, there is no multiple solution, and
>> validation would not be discarded for that. I didn't know if it's a good
>> solution, but it's work.
> As far as I remember, that test is intended to prevent mapping when the 
> search returns more than one entry.  This makes perfectly sense, 
> otherwise a SASL identity (or an authorization identity) would be 
> arbitrarily mapped to one of the matching entries.  So mapping is 
> intended to succeed if and only if exactly one identity can be resolved.

That test is only supposed to prevent mapping when doing an authzRegexp 
mapping of a single SASL userID to a DN. When looking up 
authzFrom/authzTo it is supposed to allow multiple results. 
Interestingly, it looks like slap_sasl_match isn't even used for 
authzRegexp mapping any more. Something is definitely broken here.

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/