From: Kurt Zeilenga Date: Fri, 10 Sep 2004 22:35:24 +0000 (+0000) Subject: Add localSSF slapd.conf(5) directive to set SSF associated X-Git-Tag: OPENLDAP_REL_ENG_2_3_0ALPHA~552 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=3869e3b84d5c5be76945ad63738f2fa6c90f314b;p=openldap Add localSSF slapd.conf(5) directive to set SSF associated with ldapi:// sessions. --- diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 7f1b4800af..2580e14428 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -512,6 +512,14 @@ continuing with the next line of the current file. .\"only go to stderr and are not recorded anywhere else. Specifying a logfile .\"copies messages to both stderr and the logfile. .TP +.B localSSF +Specifies the Security Strength Factor (SSF) to be given local LDAP sessions, +such as those to the ldapi:// listener. For a description of SSF values, +see +.BR sasl-secprops 's +.B minssf +property description. +.TP .B loglevel [...] Specify the level at which debugging statements and operation statistics should be syslogged (currently logged to the diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 787449c694..3d85794ce8 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -191,6 +191,28 @@ read_config( const char *fname, int depth ) return( 1 ); } + /* set local security factor */ + } else if ( strcasecmp( cargv[0], "localSSF" ) == 0 ) { + long ssf; + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing ssf in \"localSSF \" line\n", + fname, lineno, 0 ); + return( 1 ); + } + + ssf = atol( cargv[1] ); + + if( ssf < 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: invalid ssf value (%ld) in " + "\"localSSF \" line.\n", + fname, lineno, ssf ); + return( 1 ); + } + + local_ssf = ssf; + /* set thread concurrency */ } else if ( strcasecmp( cargv[0], "concurrency" ) == 0 ) { int c; @@ -1134,7 +1156,6 @@ restrict_unknown:; be->be_requires = requires; } - /* required security factors */ } else if ( strcasecmp( cargv[0], "security" ) == 0 ) { slap_ssf_set_t *set; diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c index 02acfae17f..14bd39356e 100644 --- a/servers/slapd/daemon.c +++ b/servers/slapd/daemon.c @@ -66,6 +66,7 @@ int slap_inet4or6 = AF_INET; /* globals */ time_t starttime; ber_socket_t dtblsize; +slap_ssf_t local_ssf = LDAP_PVT_SASL_LOCAL_SSF; Listener **slap_listeners = NULL; @@ -1467,7 +1468,7 @@ slapd_daemon_task( } sprintf( peername, "PATH=%s", from.sa_un_addr.sun_path ); - ssf = LDAP_PVT_SASL_LOCAL_SSF; + ssf = local_ssf; { uid_t uid; gid_t gid; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 988952ba50..f6e78692bc 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -468,6 +468,7 @@ LDAP_SLAPD_F (void) slapd_clr_read LDAP_P((ber_socket_t s, int wake)); LDAP_SLAPD_V (volatile sig_atomic_t) slapd_abrupt_shutdown; LDAP_SLAPD_V (volatile sig_atomic_t) slapd_shutdown; LDAP_SLAPD_V (int) slapd_register_slp; +LDAP_SLAPD_V (slap_ssf_t) local_ssf; /* * dn.c