From 0fc62be316c2276c1e70788134c90449e3f1dac8 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Sat, 3 Feb 2001 03:17:22 +0000
Subject: [PATCH] Rework security restrictions for SASL bind

---
 servers/slapd/backend.c      | 37 ++++++++++++++++++++++--------------
 servers/slapd/bind.c         | 13 ++++++++++++-
 tests/data/slapd-schema.conf |  3 +++
 3 files changed, 38 insertions(+), 15 deletions(-)

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index a4547926d8..4b00ae6b76 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -783,46 +783,55 @@ backend_check_restrictions(
 			updateop++;
 		}
 
-		if( op->o_ssf < ssf->sss_ssf ) {
-			*text = "confidentiality required";
-			return LDAP_CONFIDENTIALITY_REQUIRED;
-		}
 		if( op->o_transport_ssf < ssf->sss_transport ) {
 			*text = "transport confidentiality required";
 			return LDAP_CONFIDENTIALITY_REQUIRED;
 		}
+
 		if( op->o_tls_ssf < ssf->sss_tls ) {
 			*text = "TLS confidentiality required";
 			return LDAP_CONFIDENTIALITY_REQUIRED;
 		}
-		if( op->o_sasl_ssf < ssf->sss_sasl ) {
-			*text = "SASL confidentiality required";
-			return LDAP_CONFIDENTIALITY_REQUIRED;
-		}
 
-		if( updateop ) {
-			if( op->o_ssf < ssf->sss_update_ssf ) {
-				*text = "update confidentiality required";
+		if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
+			/* these checks don't apply to SASL bind */
+
+			if( op->o_sasl_ssf < ssf->sss_sasl ) {
+				*text = "SASL confidentiality required";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
+
+			if( op->o_ssf < ssf->sss_ssf ) {
+				*text = "confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+		}
+
+		if( updateop ) {
 			if( op->o_transport_ssf < ssf->sss_update_transport ) {
 				*text = "transport update confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+
 			if( op->o_tls_ssf < ssf->sss_update_tls ) {
 				*text = "TLS update confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+
 			if( op->o_sasl_ssf < ssf->sss_update_sasl ) {
 				*text = "SASL update confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+
+			if( op->o_ssf < ssf->sss_update_ssf ) {
+				*text = "update confidentiality required";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
 		}
 	}
 
-	if ( op->o_tag != LDAP_REQ_BIND &&
-		( op->o_tag != LDAP_REQ_EXTENDED ||
-		  strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) ) )
+	if ( op->o_tag != LDAP_REQ_BIND && ( op->o_tag != LDAP_REQ_EXTENDED ||
+		strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) ) )
 	{
 		/* these checks don't apply to Bind or StartTLS */
 
diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index 169b3e05f5..05b95eae82 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -251,6 +251,14 @@ do_bind(
 			goto cleanup;
 		}
 
+		/* check restrictions */
+		rc = backend_check_restrictions( NULL, conn, op, mech, &text );
+		if( rc != LDAP_SUCCESS ) {
+			send_ldap_result( conn, op, rc,
+				NULL, text, NULL, NULL );
+			goto cleanup;
+		}
+
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 		if ( conn->c_sasl_bind_in_progress ) {
 			if((strcmp(conn->c_sasl_bind_mech, mech) != 0)) {
@@ -327,6 +335,9 @@ do_bind(
 				/* disallow */
 				rc = LDAP_INAPPROPRIATE_AUTH;
 				text = "anonymous bind disallowed";
+
+			} else {
+				rc = backend_check_restrictions( NULL, conn, op, mech, &text );
 			}
 
 			/*
@@ -424,7 +435,7 @@ do_bind(
 	}
 
 	/* check restrictions */
-	rc = backend_check_restrictions( be, conn, op, NULL, &text ) ;
+	rc = backend_check_restrictions( be, conn, op, NULL, &text );
 	if( rc != LDAP_SUCCESS ) {
 		send_ldap_result( conn, op, rc,
 			NULL, text, NULL, NULL );
diff --git a/tests/data/slapd-schema.conf b/tests/data/slapd-schema.conf
index 6852c67012..c66d35127f 100644
--- a/tests/data/slapd-schema.conf
+++ b/tests/data/slapd-schema.conf
@@ -29,3 +29,6 @@ database	@BACKEND@
 suffix		"o=OpenLDAP Project, l=Internet"
 directory	./test-db
 index		objectClass eq
+
+security	ssf=256
+
-- 
2.39.5