(ITS#9179) back-ldap SASL proxy authorization

Mon, 09 Mar 2020 00:49:37 -0700 

Full_Name: Dieter Bocklandt
Version: 2.4.49
OS: CentOS 7
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (212.85.78.248)


When using SASL proxy authorization in conjunction with the identity assertion
feature of back-ldap, the authentication ID is asserted instead of the expected
authorization ID. A small concrete example (only referencing the relevant
attributes):

dn: cn=proxy,ou=System,dc=example,dc=net
authzTo: dn:*

dn: cn=service,ou=System,dc=example,dc=net
authzTo: dn:uid=user,ou=People,dc=example,dc=net

dn: uid=dieter,ou=People,dc=example,dc=net

and the following idassert config:
olcDbIDAssertBind: mode=self flags=override,prescriptive bindmethod=sasl
saslmech=plain authcID=proxy credentials=XXXXX  

When I perform an operation like this:
ldapmodify -H ldaps://ldapserver -Y PLAIN -U service -X
dn:uid=dieter,ou=People,dc=example,dc=net -w servicepassword -f
modifications.ldif

I would assume the following takes place:
- The service user binds to the consumer and assumes dieter's identity, which
should be the same net effect as binding with dieter's user in the first place.
- The proxy user binds to the provider and assumes dieter's identity
- The provider tries to perform the write, using dieter's identity for ACL
evaluation

What actually happens:
- The service user binds to the consumer and assumes dieter's identity
- The proxy user binds to the provider and assumes the service user's identity
- The provider tries to perform the write, using the service user's  identity
for ACL evaluation

Looking a bit deeper into this, I believe the following piece of code causes
this behavior:

(from servers/slapd/back-ldap/bind.c in master):

line 2222 - 2227:

if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
ndn = op->o_conn->c_ndn;

} else {
ndn = op->o_ndn;
}

line 2549 - 2557:

if ( op->o_tag == LDAP_REQ_BIND ) {
ndn = op->o_req_ndn;

} else if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
ndn = op->o_conn->c_ndn;

} else {
ndn = op->o_ndn;
}

It seems it tries to use op->o_conn->c_ndn if it's not null, which is (correct
me if I'm wrong) the original authcID. That value however doesn't change when
performing a proxy authorization, while op->o_ndn does properly reflect that.
Shouldn't OpenLDAP always use op->o_ndn? 

Regards,
Dieter

Reply via email to