Restrict bind

diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index e825eeb850d6352af19e2a05341d2d45e7c6ba0a..d65bd9c22373f12f0b3f3df656df1e8fb6cdebf2 100644 (file)
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -346,6 +346,33 @@ do_bind(
                goto cleanup;
        }
 
+       if( op->o_ssf < be->be_ssf_set.sss_ssf ) {
+               text = "confidentiality required";
+               rc = LDAP_CONFIDENTIALITY_REQUIRED;
+
+       } else if( op->o_transport_ssf < be->be_ssf_set.sss_transport ) {
+               text = "transport confidentiality required";
+               rc = LDAP_CONFIDENTIALITY_REQUIRED;
+
+       } else if( op->o_tls_ssf < be->be_ssf_set.sss_tls ) {
+               text = "TLS confidentiality required";
+               rc = LDAP_CONFIDENTIALITY_REQUIRED;
+
+       } else if( op->o_sasl_ssf < be->be_ssf_set.sss_sasl ) {
+               text = "SASL confidentiality required";
+               rc = LDAP_CONFIDENTIALITY_REQUIRED;
+
+       } else if( be->be_restrictops & SLAP_RESTRICT_OP_BIND ) {
+               text = "bind operation restricted";
+               rc = LDAP_UNWILLING_TO_PERFORM;
+       }
+
+       if( rc != LDAP_SUCCESS ) {
+               send_ldap_result( conn, op, rc,
+                       NULL, text, NULL, NULL );
+               goto cleanup;
+       }
+
        conn->c_authz_backend = be;
 
        if ( be->be_bind ) {