Re: (ITS#9052) ACL protections get lost if same identity uses different SSF levels

Wednesday, 24 July 2019

--On Wednesday, July 24, 2019 3:45 PM -0700 Quanah Gibson-Mount 
<quanah(a)symas.com&gt; wrote:

...
 For informational purposes, here's additional detail as the
subject and
 original problem description do not fully capture the extend of the
 problem.  In all 2.x releases prior to 2.4.48 (I.e., 2.0.x, 2.1.x, 2.2.x,
 2.3.x, and 2.4.x up to 2.4.47), the SASL security factor layer was set
 globally rather than per connection.  So once a connection had been made
 that sets a SASL SSF, any and all non SASL connections would inherit that
 value. 
Correction -- sasl SSF was set per connection structure.  Any new client 
connection that used the same connection structure as a previous connection 
would inherit the sasl_ssf value of the prior connection.  In slapd, one 
can generally tell which connection structure is being used by looking at 
the file descriptor in use by a given connection (stats level logging will 
display this information, for example).  On a busy server where connection 
structures are routinly being re-used then there is a high probability that 
this would apply to most connections as long as the majority of connections 
are setting SASL SSF values.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006