Full_Name: Russell Stuart Version: 2.3.30 OS: Debian Etch URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (210.15.201.110)

I am trying to insist that connections during sasl auth operations are encrypted. Ie, that this works:

access to attrs=userPassword by tls_ssf=128 ssf=128 anonymous auth by * none

It does work for a simple bind. But for a sasl bind it fails, and this telltale appears in the log:

slapd[26499]: <= check a_authz.sai_ssf: ACL 128 > OP 0

I fixed the issue using this patch, which applies to 2.4.5, 2.3.38 and 2.3.30:

diff -Nur openldap2.3-2.3.30/servers/slapd/sasl.c openldap2.3-2.3.30.new/servers/slapd/sasl.c --- openldap2.3-2.3.30/servers/slapd/sasl.c 2007-10-19 15:27:53.000000000 +1000 +++ openldap2.3-2.3.30.new/servers/slapd/sasl.c 2007-10-19 15:29:18.000000000 +1000 @@ -384,6 +384,7 @@ op.ors_slimit = 1; op.ors_filter = &generic_filter; op.ors_filterstr = generic_filterstr; + op.o_authz = conn->c_authz; /* FIXME: we want all attributes, right? */ op.ors_attrs = NULL;