Add "disallow tls_authc" to disallow StartTLS when session is authenticated.
Create and use connection2anonymous routine for consistency.
by <who>).
See the "OpenLDAP's Administrator's Guide" for details.
.TP
+.B allow <features>
+Specify a set of features (separated by white space) to allow.
+.B tls_2_anon
+allows Start TLS to force session to anonymous status (see also
+.B disallow
+.BR tls_authc ).
+.TP
.B argsfile <filename>
The ( absolute ) name of a file that will hold the
.B slapd
DN is empty).
.B bind_anon_dn
disables anonymous bind when DN is not empty.
+.B tls_authc
+disables StartTLS if authenticated (see also
+.B allow
+.BR tls_2_anon ).
.TP
.B idletimeout <integer>
Specify the number of seconds to wait before forcibly closing
mech = NULL;
cred.bv_val = NULL;
- ldap_pvt_thread_mutex_lock( &conn->c_mutex );
-
/*
* Force to connection to "anonymous" until bind succeeds.
*/
-
- if ( conn->c_authmech != NULL ) {
- free( conn->c_authmech );
- conn->c_authmech = NULL;
- }
-
- if ( conn->c_cdn != NULL ) {
- free( conn->c_cdn );
- conn->c_cdn = NULL;
- }
-
- if ( conn->c_dn != NULL ) {
- free( conn->c_dn );
- conn->c_dn = NULL;
- }
-
- conn->c_authc_backend = NULL;
- conn->c_authz_backend = NULL;
-
+ ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+ connection2anonymous( conn );
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
if ( op->o_dn != NULL ) {
AccessControl *global_acl = NULL;
slap_access_t global_default_access = ACL_READ;
slap_mask_t global_restrictops = 0;
+slap_mask_t global_allows = 0;
slap_mask_t global_disallows = 0;
slap_mask_t global_requires = 0;
slap_ssf_set_t global_ssf_set;
}
+ /* allow these features */
+ } else if ( strcasecmp( cargv[0], "allows" ) == 0 ||
+ strcasecmp( cargv[0], "allow" ) == 0 )
+ {
+ slap_mask_t allows;
+
+ if ( be != NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+"%s: line %d: allow line must appear prior to database definitions\n",
+ fname, lineno, 0 );
+ }
+
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing feature(s) in \"allow <features>\" line\n",
+ fname, lineno, 0 );
+ return( 1 );
+ }
+
+ allows = 0;
+
+ for( i=1; i < cargc; i++ ) {
+ if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) {
+ allows |= SLAP_ALLOW_TLS_2_ANON;
+
+ } else if( strcasecmp( cargv[i], "none" ) != 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: unknown feature %s in \"allow <features>\" line\n",
+ fname, lineno, cargv[i] );
+ return( 1 );
+ }
+ }
+
+ global_allows = allows;
+
/* disallow these features */
} else if ( strcasecmp( cargv[0], "disallows" ) == 0 ||
strcasecmp( cargv[0], "disallow" ) == 0 )
if ( cargc < 2 ) {
Debug( LDAP_DEBUG_ANY,
- "%s: line %d: missing feature(s) in \"disallows <features>\" line\n",
+ "%s: line %d: missing feature(s) in \"disallow <features>\" line\n",
fname, lineno, 0 );
return( 1 );
}
} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_ANON_DN;
+ } else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) {
+ disallows |= SLAP_DISALLOW_TLS_AUTHC;
+
} else if( strcasecmp( cargv[i], "none" ) != 0 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown feature %s in \"disallow <features>\" line\n",
return id;
}
+void connection2anonymous( Connection *c )
+{
+ assert( connections != NULL );
+ assert( c != NULL );
+
+ if(c->c_authmech != NULL ) {
+ free(c->c_authmech);
+ c->c_authmech = NULL;
+ }
+
+ if(c->c_dn != NULL) {
+ free(c->c_dn);
+ c->c_dn = NULL;
+ }
+
+ if(c->c_cdn != NULL) {
+ free(c->c_cdn);
+ c->c_cdn = NULL;
+ }
+
+ c->c_authc_backend = NULL;
+ c->c_authz_backend = NULL;
+}
+
static void
connection_destroy( Connection *c )
{
c->c_activitytime = c->c_starttime = 0;
- if(c->c_authmech != NULL ) {
- free(c->c_authmech);
- c->c_authmech = NULL;
- }
- if(c->c_dn != NULL) {
- free(c->c_dn);
- c->c_dn = NULL;
- }
- if(c->c_cdn != NULL) {
- free(c->c_cdn);
- c->c_cdn = NULL;
- }
+ connection2anonymous( c );
+
if(c->c_listener_url != NULL) {
free(c->c_listener_url);
c->c_listener_url = NULL;
}
+
if(c->c_peer_domain != NULL) {
free(c->c_peer_domain);
c->c_peer_domain = NULL;
LDAP_SLAPD_F (Connection *) connection_next LDAP_P((Connection *, ber_socket_t *));
LDAP_SLAPD_F (void) connection_done LDAP_P((Connection *));
+LDAP_SLAPD_F (void) connection2anonymous LDAP_P((Connection *));
+
/*
* dn.c
*/
*/
LDAP_SLAPD_F (slap_mask_t) global_restrictops;
+LDAP_SLAPD_F (slap_mask_t) global_allows;
LDAP_SLAPD_F (slap_mask_t) global_disallows;
LDAP_SLAPD_F (slap_mask_t) global_requires;
LDAP_SLAPD_F (slap_ssf_set_t) global_ssf_set;
| SLAP_RESTRICT_OP_MODIFY \
| SLAP_RESTRICT_OP_RENAME )
+#define SLAP_ALLOW_TLS_2_ANON 0x0001U /* StartTLS -> Anonymous */
+
#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */
#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */
#define SLAP_DISALLOW_BIND_ANON_CRED \
#define SLAP_DISALLOW_BIND_ANON_DN \
0x0008U /* dn should be empty */
+#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */
+#define SLAP_DISALLOW_BIND_KERBEROS 0x0020U /* Kerberos authentication */
+
+#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */
+
slap_mask_t be_requires; /* pre-operation requirements */
#define SLAP_REQUIRE_BIND 0x0001U /* bind before op */
#define SLAP_REQUIRE_LDAP_V3 0x0002U /* LDAPv3 before op */
#define SLAP_REQUIRE_SASL 0x0008U /* SASL before op */
#define SLAP_REQUIRE_STRONG 0x0010U /* strong authentication before op */
-
/* Required Security Strength Factor */
slap_ssf_set_t be_ssf_set;
goto done;
}
+ if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
+ ( conn->c_dn != NULL ) )
+ {
+ *text = "cannot start TLS after authentication";
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) &&
+ ( conn->c_dn != NULL ) )
+ {
+ /* force to anonymous */
+ connection2anonymous( conn );
+ }
+
/* fail if TLS could not be initialized */
if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0
|| ctx == NULL)
return NULL;
}
+void connection2anonymous( Connection *c )
+{
+ assert(0);
+}
projects / openldap / commitdiff