From 8a368a62ea22127f95017467a044df57937ed238 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Mon, 10 Mar 2014 16:12:08 -0700
Subject: [PATCH] Ticket #47739 - directory server is insecurely
misinterpreting authzid on a SASL/GSSAPI bind
Description: SASL_CB_PROXY_POLICY callback is not needed since we
don't support the case authid and authzid do not match. This patch
gets rid of the callback function ids_sasl_proxy_policy.
https://fedorahosted.org/389/ticket/47739
Reviewed by nkinder@redhat.com (Thank you, Nathan!!)
(cherry picked from commit 76acff12a86110d4165f94e2cba13ef5c7ebc38a)
(cherry picked from commit 9bc2b46b7c7ee4c975d04b041f73a5992906b07c)
(cherry picked from commit d2063c889feeba122e12f152e2e2c98aed4eb442)
(cherry picked from commit 614d72196e696395d5bc0a6d62f8be9d4ee41c5b)
---
ldap/servers/slapd/saslbind.c | 33 ---------------------------------
1 file changed, 33 deletions(-)
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 96b1f8c..b405c46 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -229,34 +229,6 @@ static int ids_sasl_log(
return SASL_OK;
}
-static int ids_sasl_proxy_policy(
- sasl_conn_t *conn,
- void *context,
- const char *requested_user, int rlen,
- const char *auth_identity, int alen,
- const char *def_realm, int urlen,
- struct propctx *propctx
-)
-{
- int retVal = SASL_OK;
- /* do not permit sasl proxy authorization */
- /* if the auth_identity is null or empty string, allow the sasl request to go thru */
- if ( (auth_identity != NULL ) && ( strlen(auth_identity) > 0 ) ) {
- Slapi_DN authId , reqUser;
- slapi_sdn_init_dn_byref(&authId,auth_identity);
- slapi_sdn_init_dn_byref(&reqUser,requested_user);
- if (slapi_sdn_compare((const Slapi_DN *)&reqUser,(const Slapi_DN *) &authId) != 0) {
- LDAPDebug(LDAP_DEBUG_TRACE,
- "sasl proxy auth not permitted authid=%s user=%s\n",
- auth_identity, requested_user, 0);
- retVal = SASL_NOAUTHZ;
- }
- slapi_sdn_done(&authId);
- slapi_sdn_done(&reqUser);
- }
- return retVal;
-}
-
static void ids_sasl_user_search(
char *basedn,
int scope,
@@ -575,11 +547,6 @@ static sasl_callback_t ids_sasl_callbacks[] =
NULL
},
{
- SASL_CB_PROXY_POLICY,
- (IFP) ids_sasl_proxy_policy,
- NULL
- },
- {
SASL_CB_CANON_USER,
(IFP) ids_sasl_canon_user,
NULL
--
1.8.1.4