ITS#9038 restrict rootDN proxyauthz to its own DBs.

author Howard Chu <hyc@openldap.org>

Wed, 19 Jun 2019 11:29:02 +0000 (12:29 +0100)

committer Quanah Gibson-Mount <quanah@openldap.org>

Thu, 20 Jun 2019 18:03:08 +0000 (18:03 +0000)
author Howard Chu <hyc@openldap.org>
Wed, 19 Jun 2019 11:29:02 +0000 (12:29 +0100)
committer Quanah Gibson-Mount <quanah@openldap.org>
Thu, 20 Jun 2019 18:03:08 +0000 (18:03 +0000)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c

index 64c70537d1003e7d06b68719e32d80c468f295ce..b3727eafe1d2997398a1340adddbf27deac06eb5 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
                 goto DONE;
         }
  
-       /* Allow the manager to authorize as any DN. */
-       if( op->o_conn->c_authz_backend &&
-               be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
+       /* Allow the manager to authorize as any DN in its own DBs. */
         {
-               rc = LDAP_SUCCESS;
-               goto DONE;
+               Backend *zbe = select_backend( authzDN, 1 );
+               if ( zbe && be_isroot_dn( zbe, authcDN )) {
+                       rc = LDAP_SUCCESS;
+                       goto DONE;
+               }
         }
  
         /* Check source rules */
author	Howard Chu <hyc@openldap.org>
	Wed, 19 Jun 2019 11:29:02 +0000 (12:29 +0100)
committer	Quanah Gibson-Mount <quanah@openldap.org>
	Thu, 20 Jun 2019 18:03:08 +0000 (18:03 +0000)