Re: (ITS#5195) ssf not available during sasl bind

Friday, 19 October 2007

russell-openldap(a)stuart.id.au wrote:
...
 I am trying to insist that connections during sasl auth operations
are
 encrypted.  Ie, that this works:

   access to attrs=userPassword
         by tls_ssf=128 ssf=128 anonymous auth
         by * none

 It does work for a simple bind.  But for a sasl bind it fails, and this telltale
 appears in the log:

   slapd[26499]: <= check a_authz.sai_ssf: ACL 128 > OP 0

 I fixed the issue using this patch, which applies to 2.4.5, 2.3.38 and 2.3.30: 
I suppose that may be a legitimate bug, but this isn't really the correct fix. 
slap_auxprop_lookup is doing an internal search, so there is no network to 
speak of. In SSF terms it would have an SSF of "infinity".

...
 diff -Nur openldap2.3-2.3.30/servers/slapd/sasl.c
 openldap2.3-2.3.30.new/servers/slapd/sasl.c
 --- openldap2.3-2.3.30/servers/slapd/sasl.c     2007-10-19 15:27:53.000000000
 +1000
 +++ openldap2.3-2.3.30.new/servers/slapd/sasl.c 2007-10-19 15:29:18.000000000
 +1000
 @@ -384,6 +384,7 @@
                                 op.ors_slimit = 1;
                                 op.ors_filter = &generic_filter;
                                 op.ors_filterstr = generic_filterstr;
 +                               op.o_authz = conn->c_authz;
                                 /* FIXME: we want all attributes, right? */
                                 op.ors_attrs = NULL;

 .

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006