[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL authorization policy not enforced

i OpenLDAP 2.0.3 I can become any user if I specify a SASL authorization
identity with "-X u:<user>":

ldapsearch -Y GSSAPI -X u:root -s base -b "" "objectclass=" +

do_sasl_bind: dn () mech GSSAPI
conn=0 op=2 BIND dn="" method=163
==> sasl_bind: dn="" mech=<continuing> datalen=61
SASL Authorize [conn=0]: authcid="zrdkn01" authzid="u:root"
SASL Authorize [conn=0]: "zrdkn01" as "u:root" disallowed. No policy.
slap_sasl_bind: username="u:root" realm="" ssf=56
<== slap_sasl_bind: authzdn: "uid=root"

"uid=root" is then used in acl checks.

"-X dn:uid=root" gives me the expected behaviour:  
ldap_sasl_interactive_bind_s: Inappropriate authentication
        additional info: authorization disallowed

See also ITS#759 for logging of authzid.

Norbert Klasen
DFN Directory Services                           tel: +49 7071 29 70335
ZDV, Universität Tübingen                        fax: +49 7071 29 5912
D-72074 Tübingen                    norbert.klasen@zdv.uni-tuebingen.de
Germany                                     http://www.directory.dfn.de