[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL authorization policy not enforced
Hi,
i OpenLDAP 2.0.3 I can become any user if I specify a SASL authorization
identity with "-X u:<user>":
ldapsearch -Y GSSAPI -X u:root -s base -b "" "objectclass=" +
do_sasl_bind: dn () mech GSSAPI
conn=0 op=2 BIND dn="" method=163
==> sasl_bind: dn="" mech=<continuing> datalen=61
SASL Authorize [conn=0]: authcid="zrdkn01" authzid="u:root"
SASL Authorize [conn=0]: "zrdkn01" as "u:root" disallowed. No policy.
slap_sasl_bind: username="u:root" realm="" ssf=56
<== slap_sasl_bind: authzdn: "uid=root"
"uid=root" is then used in acl checks.
"-X dn:uid=root" gives me the expected behaviour:
ldap_sasl_interactive_bind_s: Inappropriate authentication
additional info: authorization disallowed
See also ITS#759 for logging of authzid.
--
Norbert Klasen
DFN Directory Services tel: +49 7071 29 70335
ZDV, Universität Tübingen fax: +49 7071 29 5912
D-72074 Tübingen norbert.klasen@zdv.uni-tuebingen.de
Germany http://www.directory.dfn.de