From: Kurt Zeilenga Date: Mon, 17 Jun 2002 22:18:27 +0000 (+0000) Subject: Add option to disallow unprotected simple authentication. X-Git-Tag: NO_SLAP_OP_BLOCKS~1424 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=9a38d98d375e059c367b97ce1ee50f0fbe9d68b7;p=openldap Add option to disallow unprotected simple authentication. Add protected simple authentication as a "strong" mechanism. --- diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 4d315d4fe5..a32a2fe91f 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -195,6 +195,9 @@ disallow (default none). disables acceptance of anonymous bind requests. .B bind_simple disables simple (bind) authentication. +.B bind_simple_unprotected +disables simple (bind) authentication when confidentiality +protections (e.g. TLS) are not in place. .B bind_krbv4 disables Kerberos V4 (bind) authentication. .B tls_2_anon @@ -506,11 +509,8 @@ requires authentication prior to directory operations. requires SASL authentication prior to directory operations. .B strong requires strong authentication prior to directory operations. -The -.B SASL -and -.B strong -conditions are currently same. +The strong keyword allows protected "simple" authentication +as well as SASL authentication. .B none may be used to require no conditions (useful for clearly globally set conditions within a particular database). diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 7d7414aaa8..a962aabd06 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -924,7 +924,8 @@ backend_check_restrictions( if( requires & SLAP_REQUIRE_STRONG ) { /* should check mechanism */ - if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) + if( ( op->o_transport_ssf < ssf->sss_transport + && op->o_authmech.bv_len == 0 ) || op->o_dn.bv_len == 0 ) { *text = "strong authentication required"; return LDAP_STRONG_AUTH_REQUIRED; @@ -932,8 +933,7 @@ backend_check_restrictions( } if( requires & SLAP_REQUIRE_SASL ) { - if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) - { + if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) { *text = "SASL authentication required"; return LDAP_STRONG_AUTH_REQUIRED; } diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index abd8ed182a..b769e8b44b 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -402,6 +402,27 @@ do_bind( Debug( LDAP_DEBUG_TRACE, "do_bind: v%d simple bind(%s) disallowed\n", version, ndn.bv_val, 0 ); +#endif + goto cleanup; + + } else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED ) + && ( op->o_transport_ssf < global_ssf_set.sss_transport )) + { + rc = LDAP_CONFIDENTIALITY_REQUIRED; + text = "unwilling to perform simple authentication " + "without confidentilty protection"; + + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); + +#ifdef NEW_LOGGING + LDAP_LOG(( "operation", LDAP_LEVEL_INFO, "do_bind: conn %d " + "v%d unprotected simple bind(%s) disallowed\n", + conn->c_connid, version, ndn.bv_val )); +#else + Debug( LDAP_DEBUG_TRACE, + "do_bind: v%d unprotected simple bind(%s) disallowed\n", + version, ndn.bv_val, 0 ); #endif goto cleanup; } diff --git a/servers/slapd/config.c b/servers/slapd/config.c index d49baa0b09..d3619af889 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -1289,6 +1289,9 @@ read_config( const char *fname ) } else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) { disallows |= SLAP_DISALLOW_BIND_SIMPLE; + } else if( strcasecmp( cargv[i], "bind_simple_unprotected" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED; + } else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) { disallows |= SLAP_DISALLOW_BIND_KRBV4; diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index b3b129ba10..ca7967cba1 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1175,7 +1175,9 @@ struct slap_backend_db { #define SLAP_DISALLOW_BIND_ANON 0x0001U /* no anonymous */ #define SLAP_DISALLOW_BIND_SIMPLE 0x0002U /* simple authentication */ -#define SLAP_DISALLOW_BIND_KRBV4 0x0004U /* Kerberos V4 authentication */ +#define SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED \ + 0x0004U /* unprotected simple auth */ +#define SLAP_DISALLOW_BIND_KRBV4 0x0008U /* Kerberos V4 authentication */ #define SLAP_DISALLOW_TLS_2_ANON 0x0010U /* StartTLS -> Anonymous */ #define SLAP_DISALLOW_TLS_AUTHC 0x0020U /* TLS while authenticated */