Full_Name: Gerald Richter Version: 2.3.30 OS: Linux URL: ftp://ftp.openldap.org/incoming/Gerald-Richter-061123.2.patch Submission from: (NULL) (194.95.226.11)
Hi,
I noticed that when I use the proxyAuth control group members are not correctly resolved.
What I do is to login as user A and do a search with proxyAuth control with an authzid of user B.
User B is member of a group, which grants him access to the some items. User A is not.
When directly logging in as user B, everything is ok. Using proxyAuth user B doesn't have access to the items that are granted to the group.
The reason is that the group membership is cached, and therefore users A membership is used for ACL evaluation, instead of users B membership.
The attached patch, simply deletes all cached groups, when inside the proxyAuth control setup, which resolvs this issue.
Gerald
This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Gerald Richter richter@ecos.de. These modifications are not subject to any license of ecos GmbH.
Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.