-
Notifications
You must be signed in to change notification settings - Fork 89
-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxyauth support does not work when bound as directory manager #1697
Comments
Comment from pspacek at 2015-12-01 16:48:17 Surprisingly, the access log shows the authzid in this case:
but the authzid is not effective. Furthermore, DS does not return an error even though the control is marked as critical in the request. |
Comment from nkinder (@nkinder) at 2015-12-09 22:34:16 Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1290101 |
Comment from lkrispen (@elkris) at 2016-02-16 20:30:15 attachment |
Comment from nhosoi (@nhosoi) at 2016-02-16 23:58:57
Hi Ludwig, please help me understanding this condition at the line 4052. So, instead of granting full access if isRoot is true, this condition |
Comment from lkrispen (@elkris) at 2016-02-17 17:13:54 (access &SLAPI_ACL_PROXY) is only true if we want to test if the bound user has the proxy rights, so in case of directory manager this should always be granted, |
Comment from firstyear (@Firstyear) at 2016-05-20 07:57:58
This code is very confusing to me. I like things simple. Couldn't we do:
Where isProxy is set similar to your change in aclplugin.c. That would be cleaner, avoids the need to change lots of function signatures and visually is much easier to see what is occuring. |
Comment from nhosoi (@nhosoi) at 2016-06-03 03:09:04 Replying to [comment:10 Firstyear]:
Thanks, William! Sounds promising. In the meantime, could your proposal be translated like this? Or do you want to add isProxy? I'm more than happy to review your patch... ;)
|
Comment from firstyear (@Firstyear) at 2016-06-03 04:56:04 Well, isProxy already exists in Ludwig's patch. ldap/servers/plugins/acl/aclplugin.c line 120 (Bottom of the patch). So either we can dup the method to get is proxy, or make a smaller helper function. This way we don't need to pass around the access flag and bitmask on it. Depends on if Ludwig is happy for me to take over or not to be honest. |
Comment from lkrispen (@elkris) at 2016-06-17 14:39:44 sorry for the late response. your suggestions change the logic from ( (access & SLAPI_ACL_PROXY)|| !aclpb) to The test (access & SLAPI_ACL_PROXY) does not check if this is a proxyuser, but if the proxy right should be tested. Let my try to explain the logic in line 4052 again. We are testing if access control can be skipped, before the fix this was simple: Now, if bound as root (isRoot) we have two different scenarios:
b) if root is proxying another user and testing some access right like SEARCH, READ .. we need to continue with evaluation, the evaluation will be done with the proxydn. To determine if we are in this case we check the existence of a ACLPB_PROXYDN_PBLOCK.
so ( a || b) becomes:
The patch has been tested and confirmed to work, hope I addressed your concerns. |
Comment from lkrispen (@elkris) at 2016-06-17 17:50:43 attachment |
Comment from nhosoi (@nhosoi) at 2016-06-17 23:03:24 Thank you so much for the explanation. Now, it's perfectly clear. You have my ack. |
Comment from lkrispen (@elkris) at 2016-06-20 18:24:54 committed to master: |
Comment from nhosoi (@nhosoi) at 2016-06-20 21:59:10 Closing with fixed on behalf of Ludwig... ;) |
Comment from nhosoi (@nhosoi) at 2016-06-22 04:40:30 git patch file (master) -- one line coverity fix |
Comment from lkrispen (@elkris) at 2017-02-11 23:07:54 Metadata Update from @elkris:
|
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/48366
using RFC 4370 proxy auth LDAP control when bound as cn=Directory Manager does not allow ACIs to be evaluated as the proxied identity. We need this to make sure we can consider LDAP ACIs in IPA KDC driver.
The text was updated successfully, but these errors were encountered: