[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5195) ssf not available during sasl bind

To: openldap-its@OpenLDAP.org
Subject: (ITS#5195) ssf not available during sasl bind
From: russell-openldap@stuart.id.au
Date: Fri, 19 Oct 2007 05:33:45 GMT

Full_Name: Russell Stuart
Version: 2.3.30
OS: Debian Etch
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (210.15.201.110)


I am trying to insist that connections during sasl auth operations are
encrypted.  Ie, that this works:

  access to attrs=userPassword
        by tls_ssf=128 ssf=128 anonymous auth
        by * none

It does work for a simple bind.  But for a sasl bind it fails, and this telltale
appears in the log:

  slapd[26499]: <= check a_authz.sai_ssf: ACL 128 > OP 0 

I fixed the issue using this patch, which applies to 2.4.5, 2.3.38 and 2.3.30:

diff -Nur openldap2.3-2.3.30/servers/slapd/sasl.c
openldap2.3-2.3.30.new/servers/slapd/sasl.c
--- openldap2.3-2.3.30/servers/slapd/sasl.c     2007-10-19 15:27:53.000000000
+1000
+++ openldap2.3-2.3.30.new/servers/slapd/sasl.c 2007-10-19 15:29:18.000000000
+1000
@@ -384,6 +384,7 @@
                                op.ors_slimit = 1;
                                op.ors_filter = &generic_filter;
                                op.ors_filterstr = generic_filterstr;
+                               op.o_authz = conn->c_authz;
                                /* FIXME: we want all attributes, right? */
                                op.ors_attrs = NULL;

Prev by Date: (ITS#5194) tpool lockup in RE_24
Next by Date: Re: (ITS#5195) ssf not available during sasl bind
Index(es):
- Chronological
- Thread