[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access

Guilhem Moulin wrote:
> On Wed, 29 Aug 2018 at 01:14:51 +0100, Howard Chu wrote:
>> Thanks for the report. Looks like this has been present since commit
>> 113727ba.  Fixed now in git master
> Thanks for the quick fix!  Not sure why rc's value is preserved here but
> set to LDAP_INAPPROPRIATE_AUTH in all other failing cases, though.  But
> that doesn't seem to matter beside debug logs now showing a return value
> other than 48, disclosing the actual reason of the failure; for instance
>      <== slap_sasl_authorized: return 16
>      SASL Proxy Authorize [conn=1022]: proxy authorization disallowed (16)
> for a missing authTo under authz-policy "all".
Probably not a bad thing overall, but for consistency it's now patched
to set INAPPROPRIATE_AUTH as with the other cases.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/