[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9052) ACL protections get lost if same identity uses different SSF levels

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9052) ACL protections get lost if same identity uses different SSF levels
From: quanah@symas.com
Date: Wed, 24 Jul 2019 22:12:18 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

--On Wednesday, July 24, 2019 3:45 PM -0700 Quanah Gibson-Mount 
<quanah@symas.com> wrote:

> For informational purposes, here's additional detail as the subject and
> original problem description do not fully capture the extend of the
> problem.  In all 2.x releases prior to 2.4.48 (I.e., 2.0.x, 2.1.x, 2.2.x,
> 2.3.x, and 2.4.x up to 2.4.47), the SASL security factor layer was set
> globally rather than per connection.  So once a connection had been made
> that sets a SASL SSF, any and all non SASL connections would inherit that
> value.

Correction -- sasl SSF was set per connection structure.  Any new client 
connection that used the same connection structure as a previous connection 
would inherit the sasl_ssf value of the prior connection.  In slapd, one 
can generally tell which connection structure is being used by looking at 
the file descriptor in use by a given connection (stats level logging will 
display this information, for example).  On a busy server where connection 
structures are routinly being re-used then there is a high probability that 
this would apply to most connections as long as the majority of connections 
are setting SASL SSF values.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Prev by Date: Re: (ITS#9052) ACL protections get lost if same identity uses different SSF levels
Next by Date: Re: (ITS#7657) Alias dereferencing with MDB slow compared with BDB
Index(es):
- Chronological
- Thread