|
 |
dc8c34 |
From 494e52332fe3200204c14d01f9771a945e0362bf Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
dc8c34 |
Date: Mon, 10 Mar 2014 16:12:08 -0700
|
|
|
dc8c34 |
Subject: [PATCH] Ticket #47739 - directory server is insecurely
|
|
|
dc8c34 |
misinterpreting authzid on a SASL/GSSAPI bind
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Description: SASL_CB_PROXY_POLICY callback is not needed since we
|
|
|
dc8c34 |
don't support the case authid and authzid do not match. This patch
|
|
|
dc8c34 |
gets rid of the callback function ids_sasl_proxy_policy.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/47739
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Reviewed by nkinder@redhat.com (Thank you, Nathan!!)
|
|
|
dc8c34 |
(cherry picked from commit 76acff12a86110d4165f94e2cba13ef5c7ebc38a)
|
|
|
dc8c34 |
(cherry picked from commit 9bc2b46b7c7ee4c975d04b041f73a5992906b07c)
|
|
|
dc8c34 |
(cherry picked from commit d2063c889feeba122e12f152e2e2c98aed4eb442)
|
|
|
dc8c34 |
(cherry picked from commit 614d72196e696395d5bc0a6d62f8be9d4ee41c5b)
|
|
|
dc8c34 |
(cherry picked from commit 8a368a62ea22127f95017467a044df57937ed238)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/slapd/saslbind.c | 33 ---------------------------------
|
|
|
dc8c34 |
1 file changed, 33 deletions(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
|
|
|
dc8c34 |
index 2d6ec0a..a5db020 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/saslbind.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/saslbind.c
|
|
|
dc8c34 |
@@ -219,34 +219,6 @@ static int ids_sasl_log(
|
|
|
dc8c34 |
return SASL_OK;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
-static int ids_sasl_proxy_policy(
|
|
|
dc8c34 |
- sasl_conn_t *conn,
|
|
|
dc8c34 |
- void *context,
|
|
|
dc8c34 |
- const char *requested_user, int rlen,
|
|
|
dc8c34 |
- const char *auth_identity, int alen,
|
|
|
dc8c34 |
- const char *def_realm, int urlen,
|
|
|
dc8c34 |
- struct propctx *propctx
|
|
|
dc8c34 |
-)
|
|
|
dc8c34 |
-{
|
|
|
dc8c34 |
- int retVal = SASL_OK;
|
|
|
dc8c34 |
- /* do not permit sasl proxy authorization */
|
|
|
dc8c34 |
- /* if the auth_identity is null or empty string, allow the sasl request to go thru */
|
|
|
dc8c34 |
- if ( (auth_identity != NULL ) && ( strlen(auth_identity) > 0 ) ) {
|
|
|
dc8c34 |
- Slapi_DN authId , reqUser;
|
|
|
dc8c34 |
- slapi_sdn_init_dn_byref(&authId,auth_identity);
|
|
|
dc8c34 |
- slapi_sdn_init_dn_byref(&reqUser,requested_user);
|
|
|
dc8c34 |
- if (slapi_sdn_compare((const Slapi_DN *)&reqUser,(const Slapi_DN *) &authId) != 0) {
|
|
|
dc8c34 |
- LDAPDebug(LDAP_DEBUG_TRACE,
|
|
|
dc8c34 |
- "sasl proxy auth not permitted authid=%s user=%s\n",
|
|
|
dc8c34 |
- auth_identity, requested_user, 0);
|
|
|
dc8c34 |
- retVal = SASL_NOAUTHZ;
|
|
|
dc8c34 |
- }
|
|
|
dc8c34 |
- slapi_sdn_done(&authId);
|
|
|
dc8c34 |
- slapi_sdn_done(&reqUser);
|
|
|
dc8c34 |
- }
|
|
|
dc8c34 |
- return retVal;
|
|
|
dc8c34 |
-}
|
|
|
dc8c34 |
-
|
|
|
dc8c34 |
static void ids_sasl_user_search(
|
|
|
dc8c34 |
char *basedn,
|
|
|
dc8c34 |
int scope,
|
|
|
dc8c34 |
@@ -552,11 +524,6 @@ static sasl_callback_t ids_sasl_callbacks[] =
|
|
|
dc8c34 |
NULL
|
|
|
dc8c34 |
},
|
|
|
dc8c34 |
{
|
|
|
dc8c34 |
- SASL_CB_PROXY_POLICY,
|
|
|
dc8c34 |
- (IFP) ids_sasl_proxy_policy,
|
|
|
dc8c34 |
- NULL
|
|
|
dc8c34 |
- },
|
|
|
dc8c34 |
- {
|
|
|
dc8c34 |
SASL_CB_CANON_USER,
|
|
|
dc8c34 |
(IFP) ids_sasl_canon_user,
|
|
|
dc8c34 |
NULL
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
1.8.1.4
|
|
|
dc8c34 |
|