From 023d0e2a5c91c0f329d36ec9460435f218714a8d Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Tue, 8 Oct 2002 19:03:18 +0000 Subject: [PATCH] Rework unprotected simple bind checks --- doc/guide/admin/security.sdf | 7 +++---- doc/man/man5/slapd.conf.5 | 15 +++++++++------ servers/slapd/backend.c | 9 +++++++++ servers/slapd/bind.c | 2 +- servers/slapd/config.c | 9 ++++++--- servers/slapd/slap.h | 1 + 6 files changed, 29 insertions(+), 14 deletions(-) diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf index a3cf12caf9..7d7dcf2d7a 100644 --- a/doc/guide/admin/security.sdf +++ b/doc/guide/admin/security.sdf @@ -146,10 +146,9 @@ is protected by other means (e.g., TLS, {{TERM:IPSEC}}). Where the administrator relies on TLS to protect the password, it is recommended that unprotected authentication be disabled. This is done by setting "{{EX:disallow bind_simple_unprotected}}" in {{slapd.conf}}(5). -The level of confidential protection to require can be adjusted -using the {{overall}} security strength factor using the {EX:security}} -directive. If this factor is not set (or set to integrity only), -any confidentiality protection is sufficient. +The {{EX:security}} directive's {{EX:simple_bind}} option provides +fine grain control over the level of confidential protection to +require for {{simple}} user/password authentication. The user/password authenticated bind mechanism can be completely disabled by setting "{{EX:disallow bind_simple}}". diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index d3550f6dfd..6fe0ba39b5 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -180,13 +180,12 @@ disables acceptance of anonymous bind requests. disables simple (bind) authentication. .B bind_simple_unprotected disables simple (bind) authentication when confidentiality -protection (e.g. TLS) is not in place. The level of confidential -protection to require can be adjusted using the -.I overall security strength factor -using the +protection (e.g. TLS) is not in place. The .B security -directive. If this factor is not set (or set to integrity only), -any confidentiality protection is sufficient. +directive's +.B simple_bind +option provides fine grain control over the confidentiality +protection required for simple bind. .B bind_krbv4 disables Kerberos V4 (bind) authentication. .B tls_2_anon @@ -701,6 +700,10 @@ directory updates. .B update_sasl= specifies the SASL security strength factor to require for directory updates. +.B simple_bind= +specifies the security strength factor required for +.I simple +username/password authentication. Note that the .B transport factor is measure of security provided by the underlying transport, diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 23ee665e88..04fac3ccec 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -866,6 +866,15 @@ backend_check_restrictions( return LDAP_CONFIDENTIALITY_REQUIRED; } + + if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) { + /* simple bind specific check */ + if( op->o_ssf < ssf->sss_simple_bind ) { + *text = "confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + } + if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) { /* these checks don't apply to SASL bind */ diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 09950a1076..1129fa6f43 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -419,7 +419,7 @@ do_bind( goto cleanup; } else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED ) - && ( op->o_ssf <= 1 || op->o_ssf < global_ssf_set.sss_ssf )) + && ( op->o_ssf <= 1 )) { rc = LDAP_CONFIDENTIALITY_REQUIRED; text = "unwilling to perform simple authentication " diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 5a58e83baf..3147c4ede9 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -1317,9 +1317,6 @@ read_config( const char *fname, int depth ) } else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) { disallows |= SLAP_DISALLOW_BIND_SIMPLE; - } else if( strcasecmp( cargv[i], "bind_simple_unprotected" ) == 0 ) { - disallows |= SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED; - } else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) { disallows |= SLAP_DISALLOW_BIND_KRBV4; @@ -1480,6 +1477,12 @@ read_config( const char *fname, int depth ) set->sss_update_sasl = atoi( &cargv[i][sizeof("update_sasl")] ); + } else if( strncasecmp( cargv[i], "simple_bind=", + sizeof("simple_bind") ) == 0 ) + { + set->sss_simple_bind = + atoi( &cargv[i][sizeof("simple_bind")] ); + } else { #ifdef NEW_LOGGING LDAP_LOG( CONFIG, CRIT, diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index d5f42a69bf..329a108688 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -164,6 +164,7 @@ typedef struct slap_ssf_set { slap_ssf_t sss_update_transport; slap_ssf_t sss_update_tls; slap_ssf_t sss_update_sasl; + slap_ssf_t sss_simple_bind; } slap_ssf_set_t; /* -- 2.39.5