From: Kurt Zeilenga <kurt@openldap.org>
Date: Fri, 10 Sep 2004 22:35:24 +0000 (+0000)
Subject: Add localSSF slapd.conf(5) directive to set SSF associated
X-Git-Tag: OPENLDAP_REL_ENG_2_3_0ALPHA~552
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=3869e3b84d5c5be76945ad63738f2fa6c90f314b;p=openldap

Add localSSF slapd.conf(5) directive to set SSF associated
with ldapi:// sessions.
---

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 7f1b4800af..2580e14428 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -512,6 +512,14 @@ continuing with the next line of the current file.
 .\"only go to stderr and are not recorded anywhere else. Specifying a logfile
 .\"copies messages to both stderr and the logfile.
 .TP
+.B localSSF <SSF>
+Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
+such as those to the ldapi:// listener.  For a description of SSF values,
+see 
+.BR sasl-secprops 's
+.B minssf
+property description.
+.TP
 .B loglevel <integer> [...]
 Specify the level at which debugging statements and operation 
 statistics should be syslogged (currently logged to the
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 787449c694..3d85794ce8 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -191,6 +191,28 @@ read_config( const char *fname, int depth )
 				return( 1 );
 			}
 
+		/* set local security factor */
+		} else if ( strcasecmp( cargv[0], "localSSF" ) == 0 ) {
+			long ssf;
+			if ( cargc < 2 ) {
+				Debug( LDAP_DEBUG_ANY,
+				   "%s: line %d: missing ssf in \"localSSF <ssf>\" line\n",
+				    fname, lineno, 0 );
+				return( 1 );
+			}
+
+			ssf = atol( cargv[1] );
+
+			if( ssf < 0 ) {
+				Debug( LDAP_DEBUG_ANY,
+					"%s: line %d: invalid ssf value (%ld) in "
+					"\"localSSF <ssf>\" line.\n",
+				    fname, lineno, ssf );
+				return( 1 );
+			}
+
+			local_ssf = ssf;
+
 		/* set thread concurrency */
 		} else if ( strcasecmp( cargv[0], "concurrency" ) == 0 ) {
 			int c;
@@ -1134,7 +1156,6 @@ restrict_unknown:;
 				be->be_requires = requires;
 			}
 
-		/* required security factors */
 		} else if ( strcasecmp( cargv[0], "security" ) == 0 ) {
 			slap_ssf_set_t *set;
 
diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index 02acfae17f..14bd39356e 100644
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -66,6 +66,7 @@ int slap_inet4or6 = AF_INET;
 /* globals */
 time_t starttime;
 ber_socket_t dtblsize;
+slap_ssf_t local_ssf = LDAP_PVT_SASL_LOCAL_SSF;
 
 Listener **slap_listeners = NULL;
 
@@ -1467,7 +1468,7 @@ slapd_daemon_task(
 				}
 
 				sprintf( peername, "PATH=%s", from.sa_un_addr.sun_path );
-				ssf = LDAP_PVT_SASL_LOCAL_SSF;
+				ssf = local_ssf;
 				{
 					uid_t uid;
 					gid_t gid;
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 988952ba50..f6e78692bc 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -468,6 +468,7 @@ LDAP_SLAPD_F (void) slapd_clr_read LDAP_P((ber_socket_t s, int wake));
 LDAP_SLAPD_V (volatile sig_atomic_t) slapd_abrupt_shutdown;
 LDAP_SLAPD_V (volatile sig_atomic_t) slapd_shutdown;
 LDAP_SLAPD_V (int) slapd_register_slp;
+LDAP_SLAPD_V (slap_ssf_t) local_ssf;
 
 /*
  * dn.c