[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#9052) ACL protections get lost if same identity uses different SSF levels
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#9052) ACL protections get lost if same identity uses different SSF levels
- From: quanah@symas.com
- Date: Wed, 24 Jul 2019 22:12:18 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
--On Wednesday, July 24, 2019 3:45 PM -0700 Quanah Gibson-Mount
<quanah@symas.com> wrote:
> For informational purposes, here's additional detail as the subject and
> original problem description do not fully capture the extend of the
> problem. In all 2.x releases prior to 2.4.48 (I.e., 2.0.x, 2.1.x, 2.2.x,
> 2.3.x, and 2.4.x up to 2.4.47), the SASL security factor layer was set
> globally rather than per connection. So once a connection had been made
> that sets a SASL SSF, any and all non SASL connections would inherit that
> value.
Correction -- sasl SSF was set per connection structure. Any new client
connection that used the same connection structure as a previous connection
would inherit the sasl_ssf value of the prior connection. In slapd, one
can generally tell which connection structure is being used by looking at
the file descriptor in use by a given connection (stats level logging will
display this information, for example). On a busy server where connection
structures are routinly being re-used then there is a high probability that
this would apply to most connections as long as the majority of connections
are setting SASL SSF values.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>