summaryrefslogtreecommitdiffstats
path: root/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:23:54 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:23:54 +0000
commitfe2751bf1e0388ddfa3fdfa88ed70b2bc94e2173 (patch)
tree5f743c2fcc2c85b0363602a14ac3753bc5a19abc /debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
parentAdding upstream version 2.4.47+dfsg. (diff)
downloadopenldap-fe2751bf1e0388ddfa3fdfa88ed70b2bc94e2173.tar.xz
openldap-fe2751bf1e0388ddfa3fdfa88ed70b2bc94e2173.zip
Adding debian version 2.4.47+dfsg-3+deb10u7.debian/2.4.47+dfsg-3+deb10u7debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch')
-rw-r--r--debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch36
1 files changed, 36 insertions, 0 deletions
diff --git a/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch b/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
new file mode 100644
index 0000000..a63c6fe
--- /dev/null
+++ b/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
@@ -0,0 +1,36 @@
+From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 19 Jun 2019 12:29:02 +0100
+Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.
+
+Treat as normal user for any other DB.
+---
+ servers/slapd/saslauthz.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 64c70537d..b3727eafe 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
+ goto DONE;
+ }
+
+- /* Allow the manager to authorize as any DN. */
+- if( op->o_conn->c_authz_backend &&
+- be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
++ /* Allow the manager to authorize as any DN in its own DBs. */
+ {
+- rc = LDAP_SUCCESS;
+- goto DONE;
++ Backend *zbe = select_backend( authzDN, 1 );
++ if ( zbe && be_isroot_dn( zbe, authcDN )) {
++ rc = LDAP_SUCCESS;
++ goto DONE;
++ }
+ }
+
+ /* Check source rules */
+--
+2.20.1
+