ITS#10503 authzTo: reject member attributes with non-DN syntax

author Howard Chu <hyc@openldap.org>

Wed, 13 May 2026 13:51:27 +0000 (14:51 +0100)

committer Quanah Gibson-Mount <quanah@openldap.org>

Tue, 19 May 2026 16:39:09 +0000 (16:39 +0000)
author Howard Chu <hyc@openldap.org>
Wed, 13 May 2026 13:51:27 +0000 (14:51 +0100)
committer Quanah Gibson-Mount <quanah@openldap.org>
Tue, 19 May 2026 16:39:09 +0000 (16:39 +0000)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c

index 28c99b101b09ef83488ed0092363d94b8b35c5e0..cb1efd1a77e7e23748ab28f0e0068b2e283a8ad4 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -368,6 +368,10 @@ is_dn:             bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
                                 if ( rc != LDAP_SUCCESS ) {
                                         return rc;
                                 }
+                               if (ad->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName &&
+                                       !is_at_syntax( ad->ad_type, SLAPD_NAMEUID_SYNTAX )) {
+                                       return LDAP_INVALID_SYNTAX;
+                               }
                         }
  
                         if ( oc_bvfind( &group_oc ) == NULL ) {
author	Howard Chu <hyc@openldap.org>
	Wed, 13 May 2026 13:51:27 +0000 (14:51 +0100)
committer	Quanah Gibson-Mount <quanah@openldap.org>
	Tue, 19 May 2026 16:39:09 +0000 (16:39 +0000)