[PATCH] usr.sbin/ldapd: Match bind DN by suffix instead of complete DN.

[vifino]

Hello.

While using ldapd(8), I noticed that the allow/deny rules match the
bound DN in a (to me) inconvenient way.

Assuming I had a subtree ou=humans,dc=example,dc=org, users in that
subtree and I wanted to allow all users to get read access to other
users info, I would have to create a rule for each user if I had a
default deny all policy:

```
deny read,write,bind access to subtree root by any
allow bind access to children of "ou=humans,dc=example,dc=org"

allow read access to subtree "ou=humans,dc=example,dc=org" by \
"uid=bob,ou=humans,dc=example,dc=org"
allow read access to subtree "ou=humans,dc=example,dc=org" by \
"uid=alice,ou=humans,dc=example,dc=org"
allow read access to subtree "ou=humans,dc=example,dc=org" by \
"uid=jane,ou=humans,dc=example,dc=org"
```

Instead, I made the `by DN` part match the suffix,
so the above is still valid, but can also be simplified to the below:

```
deny read,write,bind access to subtree root by any
allow bind access to children of "ou=humans,dc=example,dc=org"

allow read access to subtree "ou=humans,dc=example,dc=org" by \
"ou=humans,dc=example,dc=org"
```

Since the order matters, you can also add a disallow for a specific
uid or something, of course.

I can't think of a need for exact bind matches, as this probably
does what people want. After all, explicitly needing to define
permissions for every member of the tree structure kinda ruins it, no?

Let me know if I need to do any changes.
- vifino

---

Index: auth.c
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v
retrieving revision 1.14
diff -u -p -u -p -r1.14 auth.c
--- auth.c      24 Oct 2019 12:39:26 -0000      1.14
+++ auth.c      2 Oct 2021 12:43:29 -0000
@@ -94,8 +94,13 @@ aci_matches(struct aci *aci, struct conn
                if (strcmp(aci->subject, "@") == 0) {
                        if (strcmp(dn, conn->binddn) != 0)
                                return 0;
-               } else if (strcmp(aci->subject, conn->binddn) != 0)
-                       return 0;
+               } else {
+                       key.size = strlen(conn->binddn);
+                       key.data = conn->binddn;
+
+                       if (!has_suffix(&key, aci->subject))
+                               return 0;
+               }
        }
 
        if (aci->attribute != NULL) {
Index: ldapd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/ldapd.conf.5,v
retrieving revision 1.27
diff -u -p -u -p -r1.27 ldapd.conf.5
--- ldapd.conf.5        24 Jun 2020 07:20:47 -0000      1.27
+++ ldapd.conf.5        2 Oct 2021 12:43:29 -0000
@@ -270,7 +270,7 @@ Finally, the filter rule can match a bin
 The filter rule matches by any bind dn, including anonymous binds.
 .It by Ar DN
 The filter rule matches only if the requestor has previously performed
-a bind as the specified distinguished name.
+a bind as the specified distinguished name or a decendant.
 .It by self
 The filter rule matches only if the requestor has previously performed
 a bind as the distinguished name that is being requested.