On Sat Oct 2, 2021 at 6:36 PM CEST, Raf Czlonka wrote: > On Sat, Oct 02, 2021 at 02:15:53PM BST, vifino wrote: > > Index: ldapd.conf.5 > > =================================================================== > > RCS file: /cvs/src/usr.sbin/ldapd/ldapd.conf.5,v > > retrieving revision 1.27 > > diff -u -p -u -p -r1.27 ldapd.conf.5 > > --- ldapd.conf.5 24 Jun 2020 07:20:47 -0000 1.27 > > +++ ldapd.conf.5 2 Oct 2021 12:43:29 -0000 > > @@ -270,7 +270,7 @@ Finally, the filter rule can match a bin > > The filter rule matches by any bind dn, including anonymous binds. > > .It by Ar DN > > The filter rule matches only if the requestor has previously performed > > -a bind as the specified distinguished name. > > +a bind as the specified distinguished name or a decendant. > ^^^^^^^^^ > A spellchecker[0] would have caught that ;^) Ah, yes, of course. The one thing I spent zero effort on. I haven't quite grokked the workflow, first submitted patch and all. I'll certainly run `spell` next time.
I'll keep this in mind for the next one. ;) > > [0] https://manpages.bsd.lv/part3-3-2.html > > Regards, > > Raf Revised patch below, not that it's necessary. - vifino --- Index: auth.c =================================================================== RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v retrieving revision 1.14 diff -u -p -u -p -r1.14 auth.c --- auth.c 24 Oct 2019 12:39:26 -0000 1.14 +++ auth.c 2 Oct 2021 17:21:28 -0000 @@ -94,8 +94,13 @@ aci_matches(struct aci *aci, struct conn if (strcmp(aci->subject, "@") == 0) { if (strcmp(dn, conn->binddn) != 0) return 0; - } else if (strcmp(aci->subject, conn->binddn) != 0) - return 0; + } else { + key.size = strlen(conn->binddn); + key.data = conn->binddn; + + if (!has_suffix(&key, aci->subject)) + return 0; + } } if (aci->attribute != NULL) { Index: ldapd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/ldapd/ldapd.conf.5,v retrieving revision 1.27 diff -u -p -u -p -r1.27 ldapd.conf.5 --- ldapd.conf.5 24 Jun 2020 07:20:47 -0000 1.27 +++ ldapd.conf.5 2 Oct 2021 17:21:28 -0000 @@ -270,7 +270,7 @@ Finally, the filter rule can match a bin The filter rule matches by any bind dn, including anonymous binds. .It by Ar DN The filter rule matches only if the requestor has previously performed -a bind as the specified distinguished name. +a bind as the specified distinguished name or a descendant. .It by self The filter rule matches only if the requestor has previously performed a bind as the distinguished name that is being requested.
