ITS#9038 restrict rootDN proxyauthz to its own DBs.

Treat as normal user for any other DB.
This commit is contained in:
Howard Chu 2019-06-19 12:29:02 +01:00
parent bc61773904
commit fbe5611e60

View File

@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
goto DONE;
}
/* Allow the manager to authorize as any DN. */
if( op->o_conn->c_authz_backend &&
be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
/* Allow the manager to authorize as any DN in its own DBs. */
{
rc = LDAP_SUCCESS;
goto DONE;
Backend *zbe = select_backend( authzDN, 1 );
if ( zbe && be_isroot_dn( zbe, authcDN )) {
rc = LDAP_SUCCESS;
goto DONE;
}
}
/* Check source rules */