[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4744) Bug in SASL authzTo validation using an ldap:// rule
hyc@symas.com wrote:
> ando@sys-net.it wrote:
>> As far as I remember, that test is intended to prevent mapping when the
>> search returns more than one entry. This makes perfectly sense,
>> otherwise a SASL identity (or an authorization identity) would be
>> arbitrarily mapped to one of the matching entries. So mapping is
>> intended to succeed if and only if exactly one identity can be resolved.
>
> That test is only supposed to prevent mapping when doing an authzRegexp
> mapping of a single SASL userID to a DN. When looking up
> authzFrom/authzTo it is supposed to allow multiple results.
> Interestingly, it looks like slap_sasl_match isn't even used for
> authzRegexp mapping any more. Something is definitely broken here.
>
This behavior was changed in rev 1.126 of saslauthz.c. I believe the
relevant portions of that patch need to be reverted. e.g. patch -R:
diff -u -r1.125 -r1.126
--- saslauthz.c 26 Apr 2004 19:47:02 -0000 1.125
+++ saslauthz.c 26 Apr 2004 20:47:08 -0000 1.126
@@ -772,14 +802,26 @@
{
smatch_info *sm = o->o_callback->sc_private;
- if (rs->sr_type != REP_SEARCH) return 0;
+ if ( rs->sr_type != REP_SEARCH ) {
+ if ( rs->sr_err != LDAP_SUCCESS ) {
+ sm->match = -1;
+ }
+ return 0;
+ }
+
+ if ( sm->match == 1 ) {
+ sm->match = -1;
+ return 0;
+ }
if (dn_match(sm->dn, &rs->sr_entry->e_nname)) {
sm->match = 1;
- return -1; /* short-circuit the search */
+
+ } else {
+ sm->match = -1;
}
- return 1;
+ return 0;
}
/*
@@ -984,7 +1026,7 @@
op.o_bd->be_search( &op, &rs );
- if (sm.match) {
+ if (sm.match == 1) {
rc = LDAP_SUCCESS;
} else {
rc = LDAP_INAPPROPRIATE_AUTH;
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/