ITS#9038 restrict rootDN proxyauthz to its own DBs.

author Howard Chu <hyc@openldap.org>

Wed, 19 Jun 2019 11:29:02 +0000 (12:29 +0100)

committer Howard Chu <hyc@openldap.org>

Wed, 19 Jun 2019 11:40:19 +0000 (12:40 +0100)
author Howard Chu <hyc@openldap.org>
Wed, 19 Jun 2019 11:29:02 +0000 (12:29 +0100)
committer Howard Chu <hyc@openldap.org>
Wed, 19 Jun 2019 11:40:19 +0000 (12:40 +0100)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c

index 541c21344c585945385e550c5677a4022d9baecf..de34c0b10deb5f50073134cb8d51944ad47b6529 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
                 goto DONE;
         }
  
-       /* Allow the manager to authorize as any DN. */
-       if( op->o_conn->c_authz_backend &&
-               be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
+       /* Allow the manager to authorize as any DN in its own DBs. */
         {
-               rc = LDAP_SUCCESS;
-               goto DONE;
+               Backend *zbe = select_backend( authzDN, 1 );
+               if ( zbe && be_isroot_dn( zbe, authcDN )) {
+                       rc = LDAP_SUCCESS;
+                       goto DONE;
+               }
         }
  
         /* Check source rules */
author	Howard Chu <hyc@openldap.org>
	Wed, 19 Jun 2019 11:29:02 +0000 (12:29 +0100)
committer	Howard Chu <hyc@openldap.org>
	Wed, 19 Jun 2019 11:40:19 +0000 (12:40 +0100)