[PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.

Treat as normal user for any other DB.

Gbp-Pq: Name ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index d80370ff9b123202e91a20470d9d58315ca9f898..06c1e21cc3ae5c5e19ecda28a98d50340487347f 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
                goto DONE;
        }
 
-       /* Allow the manager to authorize as any DN. */
-       if( op->o_conn->c_authz_backend &&
-               be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
+       /* Allow the manager to authorize as any DN in its own DBs. */
        {
-               rc = LDAP_SUCCESS;
-               goto DONE;
+               Backend *zbe = select_backend( authzDN, 1 );
+               if ( zbe && be_isroot_dn( zbe, authcDN )) {
+                       rc = LDAP_SUCCESS;
+                       goto DONE;
+               }
        }
 
        /* Check source rules */