[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
- From: hyc@symas.com
- Date: Wed, 29 Aug 2018 01:04:38 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Guilhem Moulin wrote:
> On Wed, 29 Aug 2018 at 01:14:51 +0100, Howard Chu wrote:
>> Thanks for the report. Looks like this has been present since commit
>> 113727ba. Fixed now in git master
>
> Thanks for the quick fix! Not sure why rc's value is preserved here but
> set to LDAP_INAPPROPRIATE_AUTH in all other failing cases, though. But
> that doesn't seem to matter beside debug logs now showing a return value
> other than 48, disclosing the actual reason of the failure; for instance
>
> <== slap_sasl_authorized: return 16
> SASL Proxy Authorize [conn=1022]: proxy authorization disallowed (16)
>
> for a missing authTo under authz-policy "all".
>
Probably not a bad thing overall, but for consistency it's now patched
to set INAPPROPRIATE_AUTH as with the other cases.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/