[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access

Full_Name: Guilhem Moulin
Version: 2.4.44
OS: Debian GNU/Linux (Stretch)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

slapd.conf(5) manpage (in both 2.4.44 and in current ? 0f320b3 ? master)
mentions that authz-policy's "all" flag requires both source and destinations
authorizations rules to succeed.  However if the source rule (the authentication
identity's "authzTo" attribute) fails but the destination rule (the
authorization identity's "authzFrom" attribute) succeeds, then the authorization
is granted, violating the intended semantics and possibly yielding unauthorized
access.  See the following log excerpt:

SASL proxy authorize [conn=1019]: authcid="authcid"
==>slap_sasl_authorized: can uid=authcid,dc=example,dc=net become
==>slap_sasl_check_authz: does uid=authzid,dc=example,dc=net match authzTo rule
in uid=authcid,dc=example,dc=net?
<==slap_sasl_check_authz: authzTo check returning 50
==>slap_sasl_check_authz: does uid=authcid,dc=example,dc=net match authzFrom
rule in uid=authzid,dc=example,dc=net?
<===slap_sasl_match: comparison returned 0
<==slap_sasl_check_authz: authzFrom check returning 0
<== slap_sasl_authorized: return 0
conn=1019 op=1 BIND authcid="authcid"
SASL Authorize [conn=1019]:  proxy authorization allowed

AFAICT the problem is in servers/slapd/saslauthz.c:slap_sasl_authorized(), and
is also present in master.  Here is a naive patch that fails the authorization
if the source rules doesn't verify and SASL_AUTHZ_AND is set in authz_policy.

--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2077,6 +2077,10 @@ int slap_sasl_authorized( Operation *op,
        if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) {
            goto DONE;
+        else if( rc != LDAP_SUCCESS && (authz_policy & SASL_AUTHZ_AND) ) {
+         goto DONE;
+     }
    /* Check destination rules */