[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4760) problem with group caching and proxyAuth control



Full_Name: Gerald Richter
Version: 2.3.30
OS: Linux
URL: ftp://ftp.openldap.org/incoming/Gerald-Richter-061123.2.patch
Submission from: (NULL) (194.95.226.11)


Hi,

I noticed that when I use the proxyAuth control group members are not correctly
resolved.

What I do is to login as user A and do a search with proxyAuth control with an
authzid of user B.

User B is member of a group, which grants him access to the some items. User A
is not.

When directly logging in as user B, everything is ok. Using proxyAuth user B
doesn't have access to the items that are granted to the group.

The reason is that the group membership is cached, and therefore users A
membership is used for ACL evaluation, instead of users B membership.

The attached patch, simply deletes all cached groups, when inside the proxyAuth
control setup, which resolvs this issue.

Gerald

This patch file is derived from OpenLDAP Software. All of the modifications to
OpenLDAP Software represented in the following patch(es) were developed by
Gerald Richter <richter@ecos.de>. These modifications are not subject to any
license of ecos GmbH.

Redistribution and use in source and binary forms, with or without modification,
are permitted only as authorized by the OpenLDAP Public License.