[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
From: hyc@symas.com
Date: Wed, 29 Aug 2018 01:04:38 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Guilhem Moulin wrote:
> On Wed, 29 Aug 2018 at 01:14:51 +0100, Howard Chu wrote:
>> Thanks for the report. Looks like this has been present since commit
>> 113727ba.  Fixed now in git master
> 
> Thanks for the quick fix!  Not sure why rc's value is preserved here but
> set to LDAP_INAPPROPRIATE_AUTH in all other failing cases, though.  But
> that doesn't seem to matter beside debug logs now showing a return value
> other than 48, disclosing the actual reason of the failure; for instance
> 
>      <== slap_sasl_authorized: return 16
>      SASL Proxy Authorize [conn=1022]: proxy authorization disallowed (16)
> 
> for a missing authTo under authz-policy "all".
> 
Probably not a bad thing overall, but for consistency it's now patched
to set INAPPROPRIATE_AUTH as with the other cases.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
Next by Date: (ITS#8910) Open Ldap back sql installation Query
Index(es):
- Chronological
- Thread