From 36fca96695b578e05a1a03017977608f9b470aff Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Tue, 8 Oct 2002 01:06:49 +0000 Subject: [PATCH] if "disallow bind_simple_unprotected", require at least SSF of 2 --- doc/man/man5/slapd.conf.5 | 11 ++++++----- servers/slapd/bind.c | 2 +- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 0933adc32f..d3550f6dfd 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -179,13 +179,14 @@ disables acceptance of anonymous bind requests. .B bind_simple disables simple (bind) authentication. .B bind_simple_unprotected -disables simple (bind) authentication when integrity and/or confidentiality -protections (e.g. TLS) are not in place. The level of protection required -is determined by the +disables simple (bind) authentication when confidentiality +protection (e.g. TLS) is not in place. The level of confidential +protection to require can be adjusted using the .I overall security strength factor -(as set by the +using the .B security -directive). +directive. If this factor is not set (or set to integrity only), +any confidentiality protection is sufficient. .B bind_krbv4 disables Kerberos V4 (bind) authentication. .B tls_2_anon diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 646b72f657..09950a1076 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -419,7 +419,7 @@ do_bind( goto cleanup; } else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED ) - && ( op->o_ssf < global_ssf_set.sss_ssf )) + && ( op->o_ssf <= 1 || op->o_ssf < global_ssf_set.sss_ssf )) { rc = LDAP_CONFIDENTIALITY_REQUIRED; text = "unwilling to perform simple authentication " -- 2.39.5