See the "OpenLDAP's Administrator's Guide" for details.
.TP
.B allow <features>
-Specify a set of features (separated by white space) to allow.
+Specify a set of features (separated by white space) to
+allow (default none).
.B tls_2_anon
allows Start TLS to force session to anonymous status (see also
.B disallow
.RE
.TP
.B disallow <features>
-Specify a set of features (separated by white space) to disallow.
+Specify a set of features (separated by white space) to
+disallow (default none).
.B bind_v2
disables acceptance of LDAPv2 bind requests.
.B bind_anon
disables acceptance of anonymous bind requests.
.B bind_anon_cred
-disables anonymous bind creditials are not empty (e.g. when
-DN is empty).
+disables anonymous bind creditials are not empty (e.g.
+when DN is empty).
.B bind_anon_dn
disables anonymous bind when DN is not empty.
+.B bind_simple
+disables simple (bind) authentication.
+.B bind_krbv4
+disables Kerberos V4 (bind) authentication.
.B tls_authc
disables StartTLS if authenticated (see also
.B allow
If specified multiple times, each url is provided.
.TP
.B require <conditions>
-Specify a set of conditions (separated by white space) to require.
+Specify a set of conditions (separated by white space) to
+require (default none).
The directive may be specified globally and/or per-database.
.B bind
requires bind operation prior to directory operations.
Specify the distinguished name that is not subject to access control
or administrative limit restrictions for operations on this database.
This DN may or may not be associated with an entry. An empty root
-DN, the default, specifies no root access is to be granted.
+DN (the default) specifies no root access is to be granted. It is
+recommended that the rootdn only be specified when needed (such as
+when initially populating a database).
.TP
.B rootpw <password>
Specify a password (or hash of the password) for the rootdn.
desription) as well as cleartext.
.BR slappasswd (8)
may be used to generate a hash of a password. Cleartext
-and \fB{CRYPT}\fP passwords are not recommended. The default
-is empty imply authentication of the root DN is by other means
+and \fB{CRYPT}\fP passwords are not recommended. If empty
+(the default), authentication of the root DN is by other means
(e.g. SASL). Use of SASL is encouraged.
.TP
.B suffix <dn suffix>
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
}
- /* accept "anonymous" binds */
- if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
- rc = LDAP_SUCCESS;
- text = NULL;
-
- if( cred.bv_len &&
- ( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
- {
- /* cred is not empty, disallow */
- rc = LDAP_INVALID_CREDENTIALS;
-
- } else if ( ndn != NULL && *ndn != '\0' &&
- ( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
- {
- /* DN is not empty, disallow */
+ if ( method == LDAP_AUTH_SIMPLE ) {
+ /* accept "anonymous" binds */
+ if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
+ rc = LDAP_SUCCESS;
+ text = NULL;
+
+ if( cred.bv_len &&
+ ( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
+ {
+ /* cred is not empty, disallow */
+ rc = LDAP_INVALID_CREDENTIALS;
+
+ } else if ( ndn != NULL && *ndn != '\0' &&
+ ( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
+ {
+ /* DN is not empty, disallow */
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ text = "unwilling to allow anonymous bind with non-empty DN";
+
+ } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
+ /* disallow */
+ rc = LDAP_INAPPROPRIATE_AUTH;
+ text = "anonymous bind disallowed";
+ }
+
+ /*
+ * we already forced connection to "anonymous",
+ * just need to send success
+ */
+ send_ldap_result( conn, op, rc,
+ NULL, text, NULL, NULL );
+ Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
+ version, 0, 0 );
+ goto cleanup;
+
+ } else if ( global_disallows & SLAP_DISALLOW_BIND_SIMPLE ) {
+ /* disallow simple authentication */
rc = LDAP_UNWILLING_TO_PERFORM;
- text = "unwilling to allow anonymous bind with non-empty DN";
+ text = "unwilling to perform simple authentication";
+
+ send_ldap_result( conn, op, rc,
+ NULL, text, NULL, NULL );
+ Debug( LDAP_DEBUG_TRACE,
+ "do_bind: v%d simple bind(%s) disallowed\n",
+ version, ndn, 0 );
+ goto cleanup;
+ }
- } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
- /* disallow */
+#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
+ } else if ( method == LDAP_AUTH_KRBV41 || method == LDAP_AUTH_KRBV42 ) {
+ if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) {
+ /* disallow simple authentication */
rc = LDAP_UNWILLING_TO_PERFORM;
- text = "anonymous bind disallowed";
+ text = "unwilling to perform Kerberos V4 bind";
+
+ send_ldap_result( conn, op, rc,
+ NULL, text, NULL, NULL );
+ Debug( LDAP_DEBUG_TRACE, "do_bind: v%d Kerberos V4 bind\n",
+ version, 0, 0 );
+ goto cleanup;
}
+#endif
+
+ } else {
+ rc = LDAP_AUTH_UNKNOWN;
+ text = "unknown authentication method";
- /*
- * we already forced connection to "anonymous",
- * just need to send success
- */
send_ldap_result( conn, op, rc,
NULL, text, NULL, NULL );
- Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
- version, 0, 0 );
+ Debug( LDAP_DEBUG_TRACE,
+ "do_bind: v%d unknown authentication method (%d)\n",
+ version, method, 0 );
goto cleanup;
}
projects / openldap / commitdiff