From 8a368a62ea22127f95017467a044df57937ed238 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Mon, 10 Mar 2014 16:12:08 -0700 Subject: [PATCH] Ticket #47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind Description: SASL_CB_PROXY_POLICY callback is not needed since we don't support the case authid and authzid do not match. This patch gets rid of the callback function ids_sasl_proxy_policy. https://fedorahosted.org/389/ticket/47739 Reviewed by nkinder@redhat.com (Thank you, Nathan!!) (cherry picked from commit 76acff12a86110d4165f94e2cba13ef5c7ebc38a) (cherry picked from commit 9bc2b46b7c7ee4c975d04b041f73a5992906b07c) (cherry picked from commit d2063c889feeba122e12f152e2e2c98aed4eb442) (cherry picked from commit 614d72196e696395d5bc0a6d62f8be9d4ee41c5b) --- ldap/servers/slapd/saslbind.c | 33 --------------------------------- 1 file changed, 33 deletions(-) diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c index 96b1f8c..b405c46 100644 --- a/ldap/servers/slapd/saslbind.c +++ b/ldap/servers/slapd/saslbind.c @@ -229,34 +229,6 @@ static int ids_sasl_log( return SASL_OK; } -static int ids_sasl_proxy_policy( - sasl_conn_t *conn, - void *context, - const char *requested_user, int rlen, - const char *auth_identity, int alen, - const char *def_realm, int urlen, - struct propctx *propctx -) -{ - int retVal = SASL_OK; - /* do not permit sasl proxy authorization */ - /* if the auth_identity is null or empty string, allow the sasl request to go thru */ - if ( (auth_identity != NULL ) && ( strlen(auth_identity) > 0 ) ) { - Slapi_DN authId , reqUser; - slapi_sdn_init_dn_byref(&authId,auth_identity); - slapi_sdn_init_dn_byref(&reqUser,requested_user); - if (slapi_sdn_compare((const Slapi_DN *)&reqUser,(const Slapi_DN *) &authId) != 0) { - LDAPDebug(LDAP_DEBUG_TRACE, - "sasl proxy auth not permitted authid=%s user=%s\n", - auth_identity, requested_user, 0); - retVal = SASL_NOAUTHZ; - } - slapi_sdn_done(&authId); - slapi_sdn_done(&reqUser); - } - return retVal; -} - static void ids_sasl_user_search( char *basedn, int scope, @@ -575,11 +547,6 @@ static sasl_callback_t ids_sasl_callbacks[] = NULL }, { - SASL_CB_PROXY_POLICY, - (IFP) ids_sasl_proxy_policy, - NULL - }, - { SASL_CB_CANON_USER, (IFP) ids_sasl_canon_user, NULL -- 1.8.1.4