Hey Quanah,
Thanks for getting back to me!
So as I understood it, I expected the proxied identity to be the identity that the client successfully authorized as instead of the identity it initially started with. The session tracking request is just there to confirm that piece of information is actually present but not used. That initial identity is also used for ACL evaluation on the producer side, leading to insufficient access (as expected).
To give a maybe more clear example, assume the following users (stripped down to just the relevant attributes in play):
dn: cn=proxy,ou=System,dc=example,dc=net
authzTo: dn:*
dn: cn=service,ou=System,dc=example,dc=net
authzTo: dn:uid=user,ou=People,dc=example,dc=net
dn:
uid=dieter,ou=People,dc=example,dc=net
and the following idassert config:
olcDbIDAssertBind: mode=self flags=override,prescriptive tls_reqcert=never bindmethod=sasl saslmech=plain authcID=proxy credentials=XXXXX
When I perform an operation like this:
ldapmodify -H ldaps://ldapserver -Y PLAIN -U service -X dn:uid=dieter,ou=People,dc=example,dc=net -w servicepassword -f modifications.ldif
I would assume the following takes place:
- The service user binds to the consumer and assumes dieter's identity, which should be the same net effect as binding with dieter's user in the first place.
- The proxy user binds to the provider and assumes dieter's identity
- The provider tries to perform the write, using dieter's identity for ACL evaluation
What actually happens:
- The service user binds to the consumer and assumes dieter's identity
- The proxy user binds to the provider and assumes the service user's identity
- The provider tries to perform the write, using
the service user's identity for ACL evaluation
Actually, I spent some more time on this today and I think I might know what's happening here:
(from servers/slapd/back-ldap/bind.c in master):
line 2222 - 2227:
if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
ndn = op->o_conn->c_ndn;
} else {
ndn = op->o_ndn;
}
line 2549 - 2557:
if ( op->o_tag == LDAP_REQ_BIND ) {
ndn = op->o_req_ndn;
} else if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
ndn = op->o_conn->c_ndn;
} else {
ndn = op->o_ndn;
}
It seems it tries to use op->o_conn->c_ndn if it's not null, which is (correct me if I'm wrong) the original authcID. That value however doesn't change when performing a proxy authorization, while op->o_ndn does properly reflect that. Shouldn't OpenLDAP always use op->o_ndn?
Again, let me know if I can provide more information or tell me if I'm grossly misunderstanding how this is all supposed to work in the first place :)
Thanks!
// Dieter