diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:23:54 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:23:54 +0000 |
commit | fe2751bf1e0388ddfa3fdfa88ed70b2bc94e2173 (patch) | |
tree | 5f743c2fcc2c85b0363602a14ac3753bc5a19abc /debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch | |
parent | Adding upstream version 2.4.47+dfsg. (diff) | |
download | openldap-fe2751bf1e0388ddfa3fdfa88ed70b2bc94e2173.tar.xz openldap-fe2751bf1e0388ddfa3fdfa88ed70b2bc94e2173.zip |
Adding debian version 2.4.47+dfsg-3+deb10u7.debian/2.4.47+dfsg-3+deb10u7debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch')
-rw-r--r-- | debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch b/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch new file mode 100644 index 0000000..a63c6fe --- /dev/null +++ b/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch @@ -0,0 +1,36 @@ +From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Wed, 19 Jun 2019 12:29:02 +0100 +Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs. + +Treat as normal user for any other DB. +--- + servers/slapd/saslauthz.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index 64c70537d..b3727eafe 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op, + goto DONE; + } + +- /* Allow the manager to authorize as any DN. */ +- if( op->o_conn->c_authz_backend && +- be_isroot_dn( op->o_conn->c_authz_backend, authcDN )) ++ /* Allow the manager to authorize as any DN in its own DBs. */ + { +- rc = LDAP_SUCCESS; +- goto DONE; ++ Backend *zbe = select_backend( authzDN, 1 ); ++ if ( zbe && be_isroot_dn( zbe, authcDN )) { ++ rc = LDAP_SUCCESS; ++ goto DONE; ++ } + } + + /* Check source rules */ +-- +2.20.1 + |