Add option to disallow unprotected simple authentication.

Add protected simple authentication as a "strong" mechanism.

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 4d315d4fe5fd4c3f53a0fa888de8cad9f9d3b94b..a32a2fe91f4b713e14de4efbaf58f928ce0a660d 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -195,6 +195,9 @@ disallow (default none).
 disables acceptance of anonymous bind requests.
 .B bind_simple
 disables simple (bind) authentication.
+.B bind_simple_unprotected
+disables simple (bind) authentication when confidentiality
+protections (e.g. TLS) are not in place.
 .B bind_krbv4
 disables Kerberos V4 (bind) authentication.
 .B tls_2_anon
@@ -506,11 +509,8 @@ requires authentication prior to directory operations.
 requires SASL authentication prior to directory operations.
 .B strong
 requires strong authentication prior to directory operations.
-The
-.B SASL
-and
-.B strong
-conditions are currently same.
+The strong keyword allows protected "simple" authentication
+as well as SASL authentication.
 .B none
 may be used to require no conditions (useful for clearly globally
 set conditions within a particular database).

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 7d7414aaa831a3a9d1eaaf7e2c41aa7e73039d3c..a962aabd063fc36a540a56ec07f20cda21495b4c 100644 (file)
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -924,7 +924,8 @@ backend_check_restrictions(
 
                if( requires & SLAP_REQUIRE_STRONG ) {
                        /* should check mechanism */
-                       if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 )
+                       if( ( op->o_transport_ssf < ssf->sss_transport
+                               && op->o_authmech.bv_len == 0 ) || op->o_dn.bv_len == 0 )
                        {
                                *text = "strong authentication required";
                                return LDAP_STRONG_AUTH_REQUIRED;
@@ -932,8 +933,7 @@ backend_check_restrictions(
                }
 
                if( requires & SLAP_REQUIRE_SASL ) {
-                       if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 )
-                       {
+                       if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) {
                                *text = "SASL authentication required";
                                return LDAP_STRONG_AUTH_REQUIRED;
                        }

diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index abd8ed182ac5cf580ea67c44b6db8e2018002c84..b769e8b44b09b24b8dd4c3e5aa4e615f7c392972 100644 (file)
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -402,6 +402,27 @@ do_bind(
                        Debug( LDAP_DEBUG_TRACE,
                                "do_bind: v%d simple bind(%s) disallowed\n",
                                version, ndn.bv_val, 0 );
+#endif
+                       goto cleanup;
+
+               } else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED )
+                       && ( op->o_transport_ssf < global_ssf_set.sss_transport ))
+               {
+                       rc = LDAP_CONFIDENTIALITY_REQUIRED;
+                       text = "unwilling to perform simple authentication "
+                               "without confidentilty protection";
+
+                       send_ldap_result( conn, op, rc,
+                               NULL, text, NULL, NULL );
+
+#ifdef NEW_LOGGING
+                       LDAP_LOG(( "operation", LDAP_LEVEL_INFO, "do_bind: conn %d  "
+                               "v%d unprotected simple bind(%s) disallowed\n",
+                               conn->c_connid, version, ndn.bv_val ));
+#else
+                       Debug( LDAP_DEBUG_TRACE,
+                               "do_bind: v%d unprotected simple bind(%s) disallowed\n",
+                               version, ndn.bv_val, 0 );
 #endif
                        goto cleanup;
                }

diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index d49baa0b09d4f874df0c7d830c72ab2577ab07f2..d3619af88924439ffdd6bbd6374e08adb490b455 100644 (file)
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1289,6 +1289,9 @@ read_config( const char *fname )
                                } else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
                                        disallows |= SLAP_DISALLOW_BIND_SIMPLE;
 
+                               } else if( strcasecmp( cargv[i], "bind_simple_unprotected" ) == 0 ) {
+                                       disallows |= SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED;
+
                                } else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
                                        disallows |= SLAP_DISALLOW_BIND_KRBV4;
 

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index b3b129ba105ee4229256dcc4acae898e2454ac6e..ca7967cba1472e9c527959e07da42ff7e24d3d0e 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1175,7 +1175,9 @@ struct slap_backend_db {
 
 #define SLAP_DISALLOW_BIND_ANON                0x0001U /* no anonymous */
 #define SLAP_DISALLOW_BIND_SIMPLE      0x0002U /* simple authentication */
-#define SLAP_DISALLOW_BIND_KRBV4       0x0004U /* Kerberos V4 authentication */
+#define SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED \
+                                                                       0x0004U /* unprotected simple auth */
+#define SLAP_DISALLOW_BIND_KRBV4       0x0008U /* Kerberos V4 authentication */
 
 #define SLAP_DISALLOW_TLS_2_ANON       0x0010U /* StartTLS -> Anonymous */
 #define SLAP_DISALLOW_TLS_AUTHC                0x0020U /* TLS while authenticated */