[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4744) Bug in SASL authzTo validation using an ldap:// rule
sylvain@pilotsystems.net wrote:
> Full_Name: Sylvain Viollon
> Version: 2.3
> OS: FreeBSD 5
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (83.204.228.114)
>
>
>
> I have an directory with some users in ou=people,dc=pilotsystems,dc=net branch,
> having a custom class krbUser ; and a user (cn=auth,dc=pilotsystems,dc=net)
> having the following attribute :
>
> authzTo: ldap:///ou=people,dc=pilotsystems,dc=net??sub?(objectClass=krbUser)
>
> He can successfully authenticate, but not become an user listed by the search
> (with PROXYAUTHZ). Running slapd in debug-mode I saw that he can only become the
> last user returned by the search.
>
> In source, I read the file 'servers/slapd/saslauthz.c'. The filter
> 'sasl_sc_smatch' said if the wanted user is in the search result. In this
> function, there is a test :
>
> if ( sm->match == 1 ) {
> sm->match = -1;
> return 0;
> }
>
> I have removed the line :
>
> sm->match = -1;
>
> Which make the match to fail if there is an entry in the search return after the
> good one. Like every DN have to be unique, there is no multiple solution, and
> validation would not be discarded for that. I didn't know if it's a good
> solution, but it's work.
>
>
As far as I remember, that test is intended to prevent mapping when the
search returns more than one entry. This makes perfectly sense,
otherwise a SASL identity (or an authorization identity) would be
arbitrarily mapped to one of the matching entries. So mapping is
intended to succeed if and only if exactly one identity can be resolved.
If the behavior you're experiencing is consistent with the above, there
is no evidence of a bug in OpenLDAP software. If it's not, please
detail. Otherwise, this ITS will be closed.
p.
Unless
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------