[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd exits on processing malformed saslAuthzTo attribute (ITS#3077)



> Full_Name: Michael Glasson
> Version: 2.2.7
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (165.12.252.12)
>
>
> slapd exits when processing a saslAuthzTo attribute which is not
> formatted correctly.
>
> A saslAuthzTo like "uid=mg,ou=person,dc=mynym,dc=net" is processed as
> you would expect, allowing the authentication id to authorize as the
> target entry.
>
> A saslAuthzTo like "dn.regex:uid=.*,ou=person,dc=mynym,dc=net" is also
> processed as you would expect, allowing the authentication id to
> authorize as an entry in the target subtree.
>
> A saslAuthzTo like "dn.subtree:ou=person,dc=mynym,dc=net" causes slapd
> to exit immediately.

This should be legal as of 2.2.7.

>
> I understand that saslAuthzTo entries of forms other than "dn.regex:..."
> may not be supported, but I do not imagine that slapd should die when it
> processes an unsupported saslAuthzTo.

Cna you provide more information?  A debug log at the highest level
concerning the authorization phase should help; unless the program
terminates on an assertion, a stack backtrace would also be of help.

Thanks, p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it