[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL authorization policy not enforced

To: openldap-devel@OpenLDAP.org
Subject: SASL authorization policy not enforced
From: Norbert Klasen <klasen@zdv.uni-tuebingen.de>
Date: Thu, 21 Sep 2000 16:21:26 +0200
Organization: DFN Directory Services, ZDV Uni Tübingen

Hi,
i OpenLDAP 2.0.3 I can become any user if I specify a SASL authorization
identity with "-X u:<user>":

ldapsearch -Y GSSAPI -X u:root -s base -b "" "objectclass=" +

do_sasl_bind: dn () mech GSSAPI
conn=0 op=2 BIND dn="" method=163
==> sasl_bind: dn="" mech=<continuing> datalen=61
SASL Authorize [conn=0]: authcid="zrdkn01" authzid="u:root"
SASL Authorize [conn=0]: "zrdkn01" as "u:root" disallowed. No policy.
slap_sasl_bind: username="u:root" realm="" ssf=56
<== slap_sasl_bind: authzdn: "uid=root"

"uid=root" is then used in acl checks.

"-X dn:uid=root" gives me the expected behaviour:  
ldap_sasl_interactive_bind_s: Inappropriate authentication
        additional info: authorization disallowed

See also ITS#759 for logging of authzid.

-- 
Norbert Klasen
DFN Directory Services                           tel: +49 7071 29 70335
ZDV, Universität Tübingen                        fax: +49 7071 29 5912
D-72074 Tübingen                    norbert.klasen@zdv.uni-tuebingen.de
Germany                                     http://www.directory.dfn.de

Follow-Ups:
- Re: SASL authorization policy not enforced
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: error=Resource temporarily unavailable and Checkpoint Account Man agment Client
Next by Date: Re: SASL authorization policy not enforced
Index(es):
- Chronological
- Thread