administrator relies on TLS to protect the password, it is recommended
that unprotected authentication be disabled. This is done by setting
"{{EX:disallow bind_simple_unprotected}}" in {{slapd.conf}}(5).
-The level of confidential protection to require can be adjusted
-using the {{overall}} security strength factor using the {EX:security}}
-directive. If this factor is not set (or set to integrity only),
-any confidentiality protection is sufficient.
+The {{EX:security}} directive's {{EX:simple_bind}} option provides
+fine grain control over the level of confidential protection to
+require for {{simple}} user/password authentication.
The user/password authenticated bind mechanism can be completely
disabled by setting "{{EX:disallow bind_simple}}".
disables simple (bind) authentication.
.B bind_simple_unprotected
disables simple (bind) authentication when confidentiality
-protection (e.g. TLS) is not in place. The level of confidential
-protection to require can be adjusted using the
-.I overall security strength factor
-using the
+protection (e.g. TLS) is not in place. The
.B security
-directive. If this factor is not set (or set to integrity only),
-any confidentiality protection is sufficient.
+directive's
+.B simple_bind
+option provides fine grain control over the confidentiality
+protection required for simple bind.
.B bind_krbv4
disables Kerberos V4 (bind) authentication.
.B tls_2_anon
.B update_sasl=<n>
specifies the SASL security strength factor to require for
directory updates.
+.B simple_bind=<n>
+specifies the security strength factor required for
+.I simple
+username/password authentication.
Note that the
.B transport
factor is measure of security provided by the underlying transport,
return LDAP_CONFIDENTIALITY_REQUIRED;
}
+
+ if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) {
+ /* simple bind specific check */
+ if( op->o_ssf < ssf->sss_simple_bind ) {
+ *text = "confidentiality required";
+ return LDAP_CONFIDENTIALITY_REQUIRED;
+ }
+ }
+
if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
/* these checks don't apply to SASL bind */
goto cleanup;
} else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED )
- && ( op->o_ssf <= 1 || op->o_ssf < global_ssf_set.sss_ssf ))
+ && ( op->o_ssf <= 1 ))
{
rc = LDAP_CONFIDENTIALITY_REQUIRED;
text = "unwilling to perform simple authentication "
} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_SIMPLE;
- } else if( strcasecmp( cargv[i], "bind_simple_unprotected" ) == 0 ) {
- disallows |= SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED;
-
} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_KRBV4;
set->sss_update_sasl =
atoi( &cargv[i][sizeof("update_sasl")] );
+ } else if( strncasecmp( cargv[i], "simple_bind=",
+ sizeof("simple_bind") ) == 0 )
+ {
+ set->sss_simple_bind =
+ atoi( &cargv[i][sizeof("simple_bind")] );
+
} else {
#ifdef NEW_LOGGING
LDAP_LOG( CONFIG, CRIT,
slap_ssf_t sss_update_transport;
slap_ssf_t sss_update_tls;
slap_ssf_t sss_update_sasl;
+ slap_ssf_t sss_simple_bind;
} slap_ssf_set_t;
/*
projects / openldap / commitdiff