if "disallow bind_simple_unprotected", require at least SSF of 2

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 0933adc32f9fe496a2751390104ad62d2ce056a4..d3550f6dfdfd0e8f250bea05a94877be4c3c4458 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -179,13 +179,14 @@ disables acceptance of anonymous bind requests.
 .B bind_simple
 disables simple (bind) authentication.
 .B bind_simple_unprotected
-disables simple (bind) authentication when integrity and/or confidentiality
-protections (e.g. TLS) are not in place.  The level of protection required
-is determined by the
+disables simple (bind) authentication when confidentiality
+protection (e.g. TLS) is not in place.  The level of confidential
+protection to require can be adjusted using the
 .I overall security strength factor
-(as set by the
+using the
 .B security
-directive).
+directive.  If this factor is not set (or set to integrity only),
+any confidentiality protection is sufficient.
 .B bind_krbv4
 disables Kerberos V4 (bind) authentication.
 .B tls_2_anon

diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index 646b72f657ceec50b444242951c51e4818898a6e..09950a1076ed2263850f6d36c052b5ca12d8c3d8 100644 (file)
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -419,7 +419,7 @@ do_bind(
                        goto cleanup;
 
                } else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED )
-                       && ( op->o_ssf < global_ssf_set.sss_ssf ))
+                       && ( op->o_ssf <= 1 || op->o_ssf < global_ssf_set.sss_ssf ))
                {
                        rc = LDAP_CONFIDENTIALITY_REQUIRED;
                        text = "unwilling to perform simple authentication "