On Sat, Oct 02, 2021 at 07:03:21PM +0200, vifino wrote:
> On Sat Oct 2, 2021 at 6:36 PM CEST, Raf Czlonka wrote:
> > On Sat, Oct 02, 2021 at 02:15:53PM BST, vifino wrote:
> > > Index: ldapd.conf.5
> > > ===================================================================
> > > RCS file: /cvs/src/usr.sbin/ldapd/ldapd.conf.5,v
> > > retrieving revision 1.27
> > > diff -u -p -u -p -r1.27 ldapd.conf.5
> > > --- ldapd.conf.5 24 Jun 2020 07:20:47 -0000 1.27
> > > +++ ldapd.conf.5 2 Oct 2021 12:43:29 -0000
> > > @@ -270,7 +270,7 @@ Finally, the filter rule can match a bin
> > > The filter rule matches by any bind dn, including anonymous binds.
> > > .It by Ar DN
> > > The filter rule matches only if the requestor has previously performed
> > > -a bind as the specified distinguished name.
> > > +a bind as the specified distinguished name or a decendant.
> > ^^^^^^^^^
> > A spellchecker[0] would have caught that ;^)
> Ah, yes, of course. The one thing I spent zero effort on.
> I haven't quite grokked the workflow, first submitted patch and all.
> I'll certainly run `spell` next time.
>
> I'll keep this in mind for the next one. ;)
> >
> > [0] https://manpages.bsd.lv/part3-3-2.html
> >
> > Regards,
> >
> > Raf
>
> Revised patch below, not that it's necessary.
> - vifino
The patch doesn't apply (for me) as your mail is quoted, here's your
diff in 7bit.
Makes sense and works as expected.
OK kn if some other LDAP hacker wants to commit, otherwise I'd make sure
that this lands unless there are objections.
Index: auth.c
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v
retrieving revision 1.14
diff -u -p -r1.14 auth.c
--- auth.c 24 Oct 2019 12:39:26 -0000 1.14
+++ auth.c 3 Oct 2021 09:25:10 -0000
@@ -94,8 +94,13 @@ aci_matches(struct aci *aci, struct conn
if (strcmp(aci->subject, "@") == 0) {
if (strcmp(dn, conn->binddn) != 0)
return 0;
- } else if (strcmp(aci->subject, conn->binddn) != 0)
- return 0;
+ } else {
+ key.size = strlen(conn->binddn);
+ key.data = conn->binddn;
+
+ if (!has_suffix(&key, aci->subject))
+ return 0;
+ }
}
if (aci->attribute != NULL) {
Index: ldapd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/ldapd.conf.5,v
retrieving revision 1.27
diff -u -p -r1.27 ldapd.conf.5
--- ldapd.conf.5 24 Jun 2020 07:20:47 -0000 1.27
+++ ldapd.conf.5 3 Oct 2021 09:22:34 -0000
@@ -270,7 +270,7 @@ Finally, the filter rule can match a bin
The filter rule matches by any bind dn, including anonymous binds.
.It by Ar DN
The filter rule matches only if the requestor has previously performed
-a bind as the specified distinguished name.
+a bind as the specified distinguished name or a descendant.
.It by self
The filter rule matches only if the requestor has previously performed
a bind as the distinguished name that is being requested.
