On Fri, 2021-10-15 at 06:13 +0000, Klemens Nanni wrote:
> On Sun, Oct 03, 2021 at 10:05:56AM +0000, Klemens Nanni wrote:
> > On Sat, Oct 02, 2021 at 07:03:21PM +0200, vifino wrote:
> > > On Sat Oct 2, 2021 at 6:36 PM CEST, Raf Czlonka wrote:
> > > > On Sat, Oct 02, 2021 at 02:15:53PM BST, vifino wrote:
> > > > > Index: ldapd.conf.5
> > > > > ===================================================================
> > > > > RCS file: /cvs/src/usr.sbin/ldapd/ldapd.conf.5,v
> > > > > retrieving revision 1.27
> > > > > diff -u -p -u -p -r1.27 ldapd.conf.5
> > > > > --- ldapd.conf.5 24 Jun 2020 07:20:47 -0000 1.27
> > > > > +++ ldapd.conf.5 2 Oct 2021 12:43:29 -0000
> > > > > @@ -270,7 +270,7 @@ Finally, the filter rule can match a bin
> > > > > The filter rule matches by any bind dn, including anonymous binds.
> > > > > .It by Ar DN
> > > > > The filter rule matches only if the requestor has previously
> > > > > performed
> > > > > -a bind as the specified distinguished name.
> > > > > +a bind as the specified distinguished name or a decendant.
> > > > ^^^^^^^^^
> > > > A spellchecker[0] would have caught that ;^)
> > > Ah, yes, of course. The one thing I spent zero effort on.
> > > I haven't quite grokked the workflow, first submitted patch and all.
> > > I'll certainly run `spell` next time.
> > >
> > > I'll keep this in mind for the next one. ;)
> > > >
> > > > [0] https://manpages.bsd.lv/part3-3-2.html
> > > >
> > > > Regards,
> > > >
> > > > Raf
> > >
> > > Revised patch below, not that it's necessary.
> > > - vifino
> >
> > The patch doesn't apply (for me) as your mail is quoted, here's your
> > diff in 7bit.
> >
> > Makes sense and works as expected.
> > OK kn if some other LDAP hacker wants to commit, otherwise I'd make sure
> > that this lands unless there are objections.
>
> Any takers? I plan to commit this by the end of the weekend.
Sorry for the delay.
The code looks good to me, however there is one edge case I think
doesn't occur too often in the wild, but could bite people in the
rear if they deploy this construct:
Things like an organization or organizationalUnit MAY contain
userPassword, which implies that people might login as that particular
DN, which in turn might have something like posixAccount entries below
it. The problem now becomes that the posixAccounts get the same
permissions the organizationalUnit.
Maybe something like "by filter" would be a better fit, since it would
allow for an even wider functionality.
martijn@
>
>
> Index: auth.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ldapd/auth.c,v
> retrieving revision 1.14
> diff -u -p -r1.14 auth.c
> --- auth.c 24 Oct 2019 12:39:26 -0000 1.14
> +++ auth.c 3 Oct 2021 09:25:10 -0000
> @@ -94,8 +94,13 @@ aci_matches(struct aci *aci, struct conn
> if (strcmp(aci->subject, "@") == 0) {
> if (strcmp(dn, conn->binddn) != 0)
> return 0;
> - } else if (strcmp(aci->subject, conn->binddn) != 0)
> - return 0;
> + } else {
> + key.size = strlen(conn->binddn);
> + key.data = conn->binddn;
> +
> + if (!has_suffix(&key, aci->subject))
> + return 0;
> + }
> }
>
> if (aci->attribute != NULL) {
> Index: ldapd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ldapd/ldapd.conf.5,v
> retrieving revision 1.27
> diff -u -p -r1.27 ldapd.conf.5
> --- ldapd.conf.5 24 Jun 2020 07:20:47 -0000 1.27
> +++ ldapd.conf.5 3 Oct 2021 09:22:34 -0000
> @@ -270,7 +270,7 @@ Finally, the filter rule can match a bin
> The filter rule matches by any bind dn, including anonymous binds.
> .It by Ar DN
> The filter rule matches only if the requestor has previously performed
> -a bind as the specified distinguished name.
> +a bind as the specified distinguished name or a descendant.
> .It by self
> The filter rule matches only if the requestor has previously performed
> a bind as the distinguished name that is being requested.
>
