On Sun, Oct 03, 2021 at 10:05:56AM +0000, Klemens Nanni wrote:
> On Sat, Oct 02, 2021 at 07:03:21PM +0200, vifino wrote:
> > On Sat Oct 2, 2021 at 6:36 PM CEST, Raf Czlonka wrote:
> > > On Sat, Oct 02, 2021 at 02:15:53PM BST, vifino wrote:
> > > > Index: ldapd.conf.5
> > > > ===================================================================
> > > > RCS file: /cvs/src/usr.sbin/ldapd/ldapd.conf.5,v
> > > > retrieving revision 1.27
> > > > diff -u -p -u -p -r1.27 ldapd.conf.5
> > > > --- ldapd.conf.5 24 Jun 2020 07:20:47 -0000 1.27
> > > > +++ ldapd.conf.5 2 Oct 2021 12:43:29 -0000
> > > > @@ -270,7 +270,7 @@ Finally, the filter rule can match a bin
> > > > The filter rule matches by any bind dn, including anonymous binds.
> > > > .It by Ar DN
> > > > The filter rule matches only if the requestor has previously performed
> > > > -a bind as the specified distinguished name.
> > > > +a bind as the specified distinguished name or a decendant.
> > > ^^^^^^^^^
> > > A spellchecker[0] would have caught that ;^)
> > Ah, yes, of course. The one thing I spent zero effort on.
> > I haven't quite grokked the workflow, first submitted patch and all.
> > I'll certainly run `spell` next time.
> >
> > I'll keep this in mind for the next one. ;)
> > >
> > > [0] https://manpages.bsd.lv/part3-3-2.html
> > >
> > > Regards,
> > >
> > > Raf
> >
> > Revised patch below, not that it's necessary.
> > - vifino
>
> The patch doesn't apply (for me) as your mail is quoted, here's your
> diff in 7bit.
>
> Makes sense and works as expected.
> OK kn if some other LDAP hacker wants to commit, otherwise I'd make sure
> that this lands unless there are objections.
Any takers? I plan to commit this by the end of the weekend.
Index: auth.c
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v
retrieving revision 1.14
diff -u -p -r1.14 auth.c
--- auth.c 24 Oct 2019 12:39:26 -0000 1.14
+++ auth.c 3 Oct 2021 09:25:10 -0000
@@ -94,8 +94,13 @@ aci_matches(struct aci *aci, struct conn
if (strcmp(aci->subject, "@") == 0) {
if (strcmp(dn, conn->binddn) != 0)
return 0;
- } else if (strcmp(aci->subject, conn->binddn) != 0)
- return 0;
+ } else {
+ key.size = strlen(conn->binddn);
+ key.data = conn->binddn;
+
+ if (!has_suffix(&key, aci->subject))
+ return 0;
+ }
}
if (aci->attribute != NULL) {
Index: ldapd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/ldapd.conf.5,v
retrieving revision 1.27
diff -u -p -r1.27 ldapd.conf.5
--- ldapd.conf.5 24 Jun 2020 07:20:47 -0000 1.27
+++ ldapd.conf.5 3 Oct 2021 09:22:34 -0000
@@ -270,7 +270,7 @@ Finally, the filter rule can match a bin
The filter rule matches by any bind dn, including anonymous binds.
.It by Ar DN
The filter rule matches only if the requestor has previously performed
-a bind as the specified distinguished name.
+a bind as the specified distinguished name or a descendant.
.It by self
The filter rule matches only if the requestor has previously performed
a bind as the distinguished name that is being requested.
