From 6d5d0034b137f61e5930e2ba26f71efb5a20d426 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Thu, 31 Aug 2000 00:52:54 +0000 Subject: [PATCH] Import latest from devel --- doc/drafts/draft-ietf-ldapext-locate-xx.txt | 60 +++--- doc/man/man1/ldapdelete.1 | 6 +- doc/man/man1/ldapmodify.1 | 8 +- doc/man/man1/ldapmodrdn.1 | 6 +- doc/man/man1/ldapsearch.1 | 2 +- doc/man/man5/slapd.conf.5 | 68 +++++++ servers/slapd/acl.c | 39 ++++ servers/slapd/aclparse.c | 123 ++++++++++++ servers/slapd/add.c | 12 +- servers/slapd/backend.c | 200 +++++++++++++++++- servers/slapd/bind.c | 51 ++++- servers/slapd/compare.c | 4 +- servers/slapd/config.c | 212 +++++++++++++++++++- servers/slapd/connection.c | 23 ++- servers/slapd/delete.c | 12 +- servers/slapd/filter.c | 15 +- servers/slapd/modify.c | 12 +- servers/slapd/modrdn.c | 12 +- servers/slapd/passwd.c | 5 +- servers/slapd/proto-slap.h | 10 +- servers/slapd/sasl.c | 16 +- servers/slapd/schema_init.c | 2 +- servers/slapd/schema_prep.c | 4 +- servers/slapd/search.c | 4 +- servers/slapd/slap.h | 94 +++++++-- servers/slapd/starttls.c | 20 +- 26 files changed, 852 insertions(+), 168 deletions(-) diff --git a/doc/drafts/draft-ietf-ldapext-locate-xx.txt b/doc/drafts/draft-ietf-ldapext-locate-xx.txt index 12a176963e..88d6cd2b01 100644 --- a/doc/drafts/draft-ietf-ldapext-locate-xx.txt +++ b/doc/drafts/draft-ietf-ldapext-locate-xx.txt @@ -1,7 +1,7 @@ INTERNET-DRAFT Michael P. Armijo - Levon Esibov -July, 2000 Paul Leach -Expires: January, 2001 Microsoft Corporation + Levon Esibov +August, 2000 Paul Leach +Expires: February, 2001 Microsoft Corporation R.L. Morgan University of Washington @@ -29,7 +29,7 @@ Status of this Memo http://www.ietf.org/shadow.html. Distribution of this memo is unlimited. It is filed as , and expires on January 14, 2001. + ietf-ldapext-locate-04.txt>, and expires on February 25, 2001. Please send comments to the authors. @@ -92,16 +92,17 @@ Status of this Memo DNs cannot be converted into a domain name. Converted DNs result in a fully qualified domain name. - The output domain name is initially empty. For each RDN component - of the DN, beginning with the rightmost and working left, if the - attribute type is "DC", then the attribute value is used as a domain - name component (label). - The first such value becomes the most significant (i.e., rightmost) - domain name component, and successive values occupy less significant - positions (i.e., extending leftward), in order. If the attribute - type is not "DC", then processing stops. If the final RDN component - of the DN is not of type "DC" then the DN cannot be converted to a - domain name. + The output domain name is initially empty. The DN is processed in + right-to-left order (i.e., beginning with the first RDN in the + sequence of RDNs). An RDN is able to be converted if it (1) + consists of a single AttributeTypeAndValue; (2) the attribute type + is "DC"; and (3) the attribute value is non-null. If it can be + converted, the attribute value is used as a domain name component + (label). The first such value becomes the rightmost (i.e., most + significant) domain name component, and successive converted RDN + values extend to the left. If an RDN cannot be converted, + processing stops. If the output domain name is empty when + processing stops, the DN cannot be converted into a domain name. For DN: @@ -128,18 +129,16 @@ Status of this Memo _._. where is always "ldap", and is a protocol that can - be either "udp" or "tcp". "_ldap._tcp" applies to services - compatible with LDAPv2 [7] or LDAPv3 [1]. "_ldap._udp" - applies to services compatible with CLDAP [8]. is - the domain name formed by converting the DN of a naming context - mastered by the LDAP Server into a domain name using the algorithm in - Section 3. Note that "ldap" is the symbolic name for the LDAP service - in Assigned Numbers[6], as required by [5]. + be either "udp" or "tcp". is the domain name formed by + converting the DN of a naming context mastered by the LDAP Server + into a domain name using the algorithm in Section 3. Note that + "ldap" is the symbolic name for the LDAP service in Assigned + Numbers[6], as required by [5]. Presence of such records enables clients to find the LDAP servers using standard DNS query [4]. A client (or server) seeking an LDAP server for a particular DN converts that DN to a domain name using - the algorithm of Section 2, does a SRV record query using the DNS + the algorithm of Section 3, does a SRV record query using the DNS name formed as described in the preceding paragraph, and interprets the response as described in [5] to determine a host (or hosts) to contact. As an example, a client that searches for an LDAP server @@ -163,10 +162,16 @@ Status of this Memo 5. Security Considerations + DNS responses can typically be easily spoofed. Clients using this + location method SHOULD ensure, via use of strong security + mechanisms, that the LDAP server they contact is the one they + intended to contact. See [7] for more information on security + threats and security mechanisms. + This document describes a method that uses DNS SRV records to discover LDAP servers. All security considerations related to DNS SRV records are inherited by this document. See the security - considerations section in [6] for more details. + considerations section in [5] for more details. 6. References @@ -191,11 +196,8 @@ Status of this Memo [6] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994. - [7] Yeong, W., Howes, T. and Kille, S., "Lightweight Directory Access - Protocol", RFC 1777, March 1995 - - [8] Young, A., "Connection-less Lightweight Directory Access Protocol", - RFC 1798, June 1995 + [7] Wahl, M., Alvestrand, H., Hodges, J. and Morgan, R., + "Authentication Methods for LDAP", RFC 2829, May 2000. 7. Authors' Addresses @@ -225,7 +227,7 @@ Status of this Memo EMail: rlmorgan@washington.edu URI: http://staff.washington.edu/rlmorgan/ - Expires January, 2001 + Expires February 25, 2001 diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1 index a9373cabe9..cb694f5a50 100644 --- a/doc/man/man1/ldapdelete.1 +++ b/doc/man/man1/ldapdelete.1 @@ -84,12 +84,12 @@ Use Kerberos authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. This option only has effect if . B ldapdelete -is compiled with KERBEROS defined. +is compiled with Kerberos support. .TP .B \-K -Same as \-k, but only does step 1 of the kerberos bind. This is useful +Same as \-k, but only does step 1 of the Kerberos bind. This is useful when connecting to a slapd and there is no x500dsa.hostname principal -registered with your kerberos servers. +registered with your Kerberos servers. .TP .B \-C Automatically chase referrals. diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 index 8a93505a77..80cb56f1be 100644 --- a/doc/man/man1/ldapmodify.1 +++ b/doc/man/man1/ldapmodify.1 @@ -67,6 +67,8 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools [\c .BR \-c ] [\c +.BR \-C ] +[\c .BR \-r ] [\c .BR \-n ] @@ -158,12 +160,12 @@ Use verbose mode, with many diagnostics written to standard output. .B \-k Use Kerberos authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. You must -compile with KERBEROS defined for this option to have any effect. +compile with Kerberos support for this option to have any effect. .TP .B \-K -Same as \-k, but only does step 1 of the kerberos bind. This is useful +Same as \-k, but only does step 1 of the Kerberos bind. This is useful when connecting to a slapd and there is no x500dsa.hostname principal -registered with your kerberos servers. +registered with your Kerberos servers. .TP .B \-F Force application of all changes regardless of the contents of input diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1 index f0b3db990a..70890a7a90 100644 --- a/doc/man/man1/ldapmodrdn.1 +++ b/doc/man/man1/ldapmodrdn.1 @@ -87,12 +87,12 @@ Use verbose mode, with many diagnostics written to standard output. Use Kerberos authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. .B ldapmodrdn -must be compiled with KERBEROS defined for this option to have effect. +must be compiled with Kerberos support for this option to have effect. .TP .B \-K -Same as \-k, but only does step 1 of the kerberos bind. This is useful +Same as \-k, but only does step 1 of the Kerberos bind. This is useful when connecting to a slapd and there is no x500dsa.hostname principal -registered with your kerberos servers. +registered with your Kerberos servers. .TP .B \-C Automatically chase referrals. diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1 index 30683779b6..42619a378f 100644 --- a/doc/man/man1/ldapsearch.1 +++ b/doc/man/man1/ldapsearch.1 @@ -109,7 +109,7 @@ Run in verbose mode, with many diagnostics written to standard output. Use Kerberos authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. .B ldapsearch -must be compiled with Kerberos for this option to have any effect. +must be compiled with Kerberos support for this option to have any effect. .TP .B \-K Same as \-k, but only does step 1 of the Kerberos bind. This is useful diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index a78833769f..064b6b2f9a 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -125,6 +125,18 @@ recommended that directives be used instead. .RE .TP +.B disallow +Specify a set of features (separated by white space) to disallow. +.B bind_v2 +disables acceptance of LDAPv2 bind requests. +.B bind_anon +disables acceptance of anonymous bind requests. +.B bind_anon_cred +disables anonymous bind creditials are not empty (e.g. when +DN is empty). +.B bind_anon_dn +disables anonymous bind when DN is not empty. +.TP .B idletimeout Specify the number of seconds to wait before forcibly closing an idle client connections. A idletimeout of 0 disables this @@ -229,6 +241,31 @@ Specify the referral to pass back when cannot find a local database to handle a request. If specified multiple times, each url is provided. .TP +.B require +Specify a set of conditions (separated by white space) to require. +The directive may be specified globally and/or per-database. +.B bind +requires bind operation prior to directory operations. +.B LDAPv3 +requires session to be using LDAP version 3. +.B authc +requires authentication prior to directory operations. +.B SASL +requires SASL authentication prior to directory operations. +.B strong +requires strong authentication prior to directory operations. +Currently +.B SASL +and +.B strong +conditions are currently same. +.B none +may be used to require no conditions (useful for clearly globally +set conditions within a particular database). +.TP +.B sasl-host +Used to specify the fully qualified domain name used for SASL processing. +.TP .B sasl-realm Used to specify Cyrus SASL realm. .TP @@ -279,6 +316,37 @@ size allowed. 0 disables security layers. The default is 65536. .B schemacheck { on | off } Turn schema checking on or off. The default is on. .TP +.B security +Specify a set of factors (separated by white space) to require. +An integer value is associated with each factor and is roughly +equivalent of the encryption key length to require. A value +of 112 is equivalent to 3DES, 128 to Blowfish, etc.. +The directive may be specified globally and/or per-database. +.B ssf= +specifies the overall security strength factor. +.B transport= +specifies the transport security strength factor. +.B tls= +specifies the TLS security strength factor. +.B sasl= +specifies the SASL security strength factor. +.B update_ssf= +specifies the overall security strength factor to require for +directory updates. +.B update_transport= +specifies the transport security strength factor to require for +directory updates. +.B update_tls= +specifies the TLS security strength factor to require for +directory updates. +.B update_sasl= +specifies the SASL security strength factor to require for +directory updates. +Note that the +.B transport +factor is measure of security provided by the underlying transport, +e.g. ldapi:// (and eventually IPSEC). It is not normally used. +.TP .B sizelimit Specify the maximum number of entries to return from a search operation. The default size limit is 500. diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index f5dbbcd75f..2e18ce48b2 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -636,6 +636,45 @@ acl_mask( } } + if ( b->a_authz.sai_ssf ) { + Debug( LDAP_DEBUG_ACL, "<= check a_authz.sai_ssf: %ud\n", + b->a_authz.sai_ssf, 0, 0 ); + + if ( b->a_authz.sai_ssf > op->o_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_transport_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_transport_ssf: %ud\n", + b->a_authz.sai_transport_ssf, 0, 0 ); + + if ( b->a_authz.sai_transport_ssf > op->o_transport_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_tls_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_tls_ssf: %ud\n", + b->a_authz.sai_tls_ssf, 0, 0 ); + + if ( b->a_authz.sai_tls_ssf > op->o_tls_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_sasl_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_sasl_ssf: %ud\n", + b->a_authz.sai_sasl_ssf, 0, 0 ); + + if ( b->a_authz.sai_sasl_ssf > op->o_sasl_ssf ) { + continue; + } + } + #ifdef SLAPD_ACI_ENABLED if ( b->a_aci_at != NULL ) { Attribute *at; diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index ea8f6b9eed..54661b75da 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -672,6 +672,110 @@ parse_acl( } #endif /* SLAPD_ACI_ENABLED */ + if ( strcasecmp( left, "ssf" ) == 0 ) { + if( b->a_authz.sai_ssf ) { + fprintf( stderr, + "%s: line %d: ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_ssf = atoi( right ); + + if( !b->a_authz.sai_ssf ) { + fprintf( stderr, + "%s: line %d: invalid ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "transport_ssf" ) == 0 ) { + if( b->a_authz.sai_transport_ssf ) { + fprintf( stderr, + "%s: line %d: transport_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no transport_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_transport_ssf = atoi( right ); + + if( !b->a_authz.sai_transport_ssf ) { + fprintf( stderr, + "%s: line %d: invalid transport_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "tls_ssf" ) == 0 ) { + if( b->a_authz.sai_tls_ssf ) { + fprintf( stderr, + "%s: line %d: tls_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no tls_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_tls_ssf = atoi( right ); + + if( !b->a_authz.sai_tls_ssf ) { + fprintf( stderr, + "%s: line %d: invalid tls_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "sasl_ssf" ) == 0 ) { + if( b->a_authz.sai_sasl_ssf ) { + fprintf( stderr, + "%s: line %d: sasl_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no sasl_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_sasl_ssf = atoi( right ); + + if( !b->a_authz.sai_sasl_ssf ) { + fprintf( stderr, + "%s: line %d: invalid sasl_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + if( right != NULL ) { /* unsplit */ right[-1] = '='; @@ -969,6 +1073,7 @@ acl_usage( void ) #ifdef SLAPD_ACI_ENABLED "\t[aci=]\n" #endif + "\t[ssf=] [transport_ssf=] [tls_ssf=] [sasl_ssf=]\n" " ::= [self]{|}\n" " ::= none | auth | compare | search | read | write\n" " ::= {=|+|-}{w|r|s|c|x}+\n" @@ -1129,6 +1234,24 @@ print_access( Access *b ) } #endif + /* Security Strength Factors */ + if ( b->a_authz.sai_ssf ) { + fprintf( stderr, " ssf=%ud", + b->a_authz.sai_ssf ); + } + if ( b->a_authz.sai_transport_ssf ) { + fprintf( stderr, " transport_ssf=%ud", + b->a_authz.sai_transport_ssf ); + } + if ( b->a_authz.sai_tls_ssf ) { + fprintf( stderr, " tls_ssf=%ud", + b->a_authz.sai_tls_ssf ); + } + if ( b->a_authz.sai_sasl_ssf ) { + fprintf( stderr, " sasl_ssf=%ud", + b->a_authz.sai_sasl_ssf ); + } + fprintf( stderr, " %s%s", b->a_dn_self ? "self" : "", accessmask2str( b->a_access_mask, maskbuf ) ); diff --git a/servers/slapd/add.c b/servers/slapd/add.c index d159ea8631..de88b57f86 100644 --- a/servers/slapd/add.c +++ b/servers/slapd/add.c @@ -154,8 +154,8 @@ do_add( Connection *conn, Operation *op ) goto done; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); @@ -168,14 +168,6 @@ do_add( Connection *conn, Operation *op ) goto done; } - if ( global_readonly || be->be_readonly ) { - Debug( LDAP_DEBUG_ANY, "do_add: database is read-only\n", - 0, 0, 0 ); - send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, - NULL, "directory is read-only", NULL, NULL ); - goto done; - } - /* * do the add if 1 && (2 || 3) * 1) there is an add function implemented in this backend; diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index b57bd3684d..309f26c2ad 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -39,12 +39,12 @@ #ifdef SLAPD_TCL #include "back-tcl/external.h" #endif -#ifdef SLAPD_NTDOMAIN -#include "back-domain/external.h" -#endif #ifdef SLAPD_SQL #include "back-sql/external.h" #endif +#ifdef SLAPD_PRIVATE +#include "private/external.h" +#endif static BackendInfo binfo[] = { #if defined(SLAPD_DNSSRV) && !defined(SLAPD_DNSSRV_DYNAMIC) @@ -68,11 +68,12 @@ static BackendInfo binfo[] = { #if defined(SLAPD_TCL) && !defined(SLAPD_TCL_DYNAMIC) {"tcl", tcl_back_initialize}, #endif -#if defined(SLAPD_NTDOMAIN) && !defined(SLAPD_NTDOMAIN_DYNAMIC) - {"ntdom", domain_back_initialize}, -#endif #if defined(SLAPD_SQL) && !defined(SLAPD_SQL_DYNAMIC) {"sql", sql_back_initialize}, +#endif + /* for any private backend */ +#if defined(SLAPD_PRIVATE) && !defined(SLAPD_PRIVATE_DYNAMIC) + {"private", private_back_initialize}, #endif {NULL} }; @@ -393,12 +394,12 @@ backend_db_init( be->be_timelimit = deftime; be->be_dfltaccess = global_default_access; + be->be_restrictops = global_restrictops; + be->be_requires = global_requires; + /* assign a default depth limit for alias deref */ be->be_max_deref_depth = SLAPD_DEFAULT_MAXDEREFDEPTH; - be->be_realm = global_realm != NULL - ? ch_strdup( global_realm ) : NULL; - if(bi->bi_db_init) { rc = bi->bi_db_init( be ); } @@ -584,7 +585,7 @@ backend_connection_destroy( return 0; } -int +static int backend_check_controls( Backend *be, Connection *conn, @@ -609,6 +610,185 @@ backend_check_controls( return LDAP_SUCCESS; } +int +backend_check_restrictions( + Backend *be, + Connection *conn, + Operation *op, + const char *extoid, + const char **text ) +{ + int rc; + slap_mask_t restrictops; + slap_mask_t requires; + slap_mask_t opflag; + slap_ssf_set_t *ssf; + int updateop = 0; + + if( be ) { + rc = backend_check_controls( be, conn, op, text ); + + if( rc != LDAP_SUCCESS ) { + return rc; + } + + restrictops = be->be_restrictops; + requires = be->be_requires; + ssf = &be->be_ssf_set; + + } else { + restrictops = global_restrictops; + requires = global_requires; + ssf = &global_ssf_set; + } + + switch( op->o_tag ) { + case LDAP_REQ_ADD: + opflag = SLAP_RESTRICT_OP_ADD; + updateop++; + break; + case LDAP_REQ_BIND: + opflag = SLAP_RESTRICT_OP_BIND; + break; + case LDAP_REQ_COMPARE: + opflag = SLAP_RESTRICT_OP_COMPARE; + break; + case LDAP_REQ_DELETE: + updateop++; + opflag = SLAP_RESTRICT_OP_DELETE; + break; + case LDAP_REQ_EXTENDED: + opflag = SLAP_RESTRICT_OP_EXTENDED; + break; + case LDAP_REQ_MODIFY: + updateop++; + opflag = SLAP_RESTRICT_OP_MODIFY; + break; + case LDAP_REQ_RENAME: + updateop++; + opflag = SLAP_RESTRICT_OP_RENAME; + break; + case LDAP_REQ_SEARCH: + opflag = SLAP_RESTRICT_OP_SEARCH; + break; + case LDAP_REQ_UNBIND: + opflag = 0; + break; + default: + *text = "restrict operations internal error"; + return LDAP_OTHER; + } + + if (( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) ) ) { + /* these checks don't apply to StartTLS */ + + if( op->o_tag == LDAP_REQ_EXTENDED ) { + /* threat other extended operations as update ops */ + updateop++; + } + + if( op->o_ssf < ssf->sss_ssf ) { + *text = "confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_transport_ssf < ssf->sss_transport ) { + *text = "transport confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_tls_ssf < ssf->sss_tls ) { + *text = "TLS confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_sasl_ssf < ssf->sss_sasl ) { + *text = "SASL confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + + if( updateop ) { + if( op->o_ssf < ssf->sss_update_ssf ) { + *text = "update confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_transport_ssf < ssf->sss_update_transport ) { + *text = "transport update confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_tls_ssf < ssf->sss_update_tls ) { + *text = "TLS update confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_sasl_ssf < ssf->sss_update_sasl ) { + *text = "SASL update confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + } + } + + if (( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) ) + || op->o_tag == LDAP_REQ_BIND ) + { + /* these checks don't apply to StartTLS or Bind */ + + if( requires & SLAP_REQUIRE_STRONG ) { + /* should check mechanism */ + if( op->o_authmech == NULL || + op->o_dn == NULL || *op->o_dn == '\0' ) + { + *text = "strong authentication required"; + return LDAP_STRONG_AUTH_REQUIRED; + } + } + + if( requires & SLAP_REQUIRE_SASL ) { + if( op->o_authmech == NULL || + op->o_dn == NULL || *op->o_dn == '\0' ) + { + *text = "SASL authentication required"; + return LDAP_STRONG_AUTH_REQUIRED; + } + } + + if( requires & SLAP_REQUIRE_AUTHC ) { + if( op->o_dn == NULL || *op->o_dn == '\0' ) { + *text = "authentication required"; + return LDAP_UNWILLING_TO_PERFORM; + } + } + + if( requires & SLAP_REQUIRE_BIND ) { + int version; + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + version = conn->c_protocol; + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + + if( !version ) { + /* no bind has occurred */ + *text = "BIND required"; + return LDAP_OPERATIONS_ERROR; + } + } + + if( requires & SLAP_REQUIRE_LDAP_V3 ) { + if( op->o_protocol < LDAP_VERSION3 ) { + /* no bind has occurred */ + *text = "operation restricted to LDAPv3 clients"; + return LDAP_OPERATIONS_ERROR; + } + } + } + + if( restrictops & opflag ) { + if( restrictops == SLAP_RESTRICT_OP_READS ) { + *text = "read operations restricted"; + } else { + *text = "operation restricted"; + } + return LDAP_UNWILLING_TO_PERFORM; + } + + return LDAP_SUCCESS; +} + int backend_check_referrals( Backend *be, Connection *conn, diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 294c851ce7..e825eeb850 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -59,6 +59,11 @@ do_bind( * Force to connection to "anonymous" until bind succeeds. */ + if ( conn->c_authmech != NULL ) { + free( conn->c_authmech ); + conn->c_authmech = NULL; + } + if ( conn->c_cdn != NULL ) { free( conn->c_cdn ); conn->c_cdn = NULL; @@ -175,6 +180,13 @@ do_bind( send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, NULL, "requested protocol version not supported", NULL, NULL ); goto cleanup; + + } else if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) && + version < LDAP_VERSION3 ) + { + send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, + NULL, "requested protocol version not allowed", NULL, NULL ); + goto cleanup; } /* we set connection version regardless of whether bind succeeds @@ -239,6 +251,10 @@ do_bind( conn->c_dn = edn; conn->c_authmech = mech; if( ssf ) conn->c_sasl_layers++; + conn->c_sasl_ssf = ssf; + if( ssf > conn->c_ssf ) { + conn->c_ssf = ssf; + } ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); } else if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) { @@ -269,12 +285,34 @@ do_bind( /* accept "anonymous" binds */ if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) { + rc = LDAP_SUCCESS; + text = NULL; + + if( cred.bv_len && + ( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED )) + { + /* cred is not empty, disallow */ + rc = LDAP_INVALID_CREDENTIALS; + + } else if ( ndn != NULL && *ndn != '\0' && + ( global_disallows & SLAP_DISALLOW_BIND_ANON_DN )) + { + /* DN is not empty, disallow */ + rc = LDAP_UNWILLING_TO_PERFORM; + text = "unwilling to allow anonymous bind with non-empty DN"; + + } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) { + /* disallow */ + rc = LDAP_UNWILLING_TO_PERFORM; + text = "anonymous bind disallowed"; + } + /* * we already forced connection to "anonymous", * just need to send success */ - send_ldap_result( conn, op, LDAP_SUCCESS, - NULL, NULL, NULL, NULL ); + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n", version, 0, 0 ); goto cleanup; @@ -300,17 +338,16 @@ do_bind( goto cleanup; } - conn->c_authz_backend = be; - - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; - + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); goto cleanup; } + conn->c_authz_backend = be; + if ( be->be_bind ) { int ret; /* alias suffix */ diff --git a/servers/slapd/compare.c b/servers/slapd/compare.c index b8c93fc132..4caa3be6c1 100644 --- a/servers/slapd/compare.c +++ b/servers/slapd/compare.c @@ -105,8 +105,8 @@ do_compare( goto cleanup; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 01ee0a1cd7..c9c245e06b 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -16,7 +16,7 @@ #include "ldap_pvt.h" #include "slap.h" -#define MAXARGS 100 +#define MAXARGS 128 /* * defaults for various global variables @@ -25,10 +25,14 @@ int defsize = SLAPD_DEFAULT_SIZELIMIT; int deftime = SLAPD_DEFAULT_TIMELIMIT; AccessControl *global_acl = NULL; slap_access_t global_default_access = ACL_READ; -int global_readonly = 0; +slap_mask_t global_restrictops = 0; +slap_mask_t global_disallows = 0; +slap_mask_t global_requires = 0; +slap_ssf_set_t global_ssf_set; char *replogfile; int global_lastmod = ON; int global_idletimeout = 0; +char *global_host = NULL; char *global_realm = NULL; char *ldap_srvtab = ""; char *default_passwd_hash; @@ -222,6 +226,25 @@ read_config( const char *fname ) default_passwd_hash = ch_strdup( cargv[1] ); } + /* set SASL host */ + } else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) { + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing host in \"sasl-host \" line\n", + fname, lineno, 0 ); + return( 1 ); + } + + if ( global_host != NULL ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: already set sasl-host!\n", + fname, lineno, 0 ); + return 1; + + } else { + global_host = ch_strdup( cargv[1] ); + } + /* set SASL realm */ } else if ( strcasecmp( cargv[0], "sasl-realm" ) == 0 ) { if ( cargc < 2 ) { @@ -230,12 +253,10 @@ read_config( const char *fname ) fname, lineno, 0 ); return( 1 ); } - if ( be != NULL ) { - be->be_realm = ch_strdup( cargv[1] ); - } else if ( global_realm != NULL ) { + if ( global_realm != NULL ) { Debug( LDAP_DEBUG_ANY, - "%s: line %d: already set global realm!\n", + "%s: line %d: already set sasl-realm!\n", fname, lineno, 0 ); return 1; @@ -451,15 +472,181 @@ read_config( const char *fname ) return( 1 ); } if ( be == NULL ) { - global_readonly = (strcasecmp( cargv[1], "on" ) == 0); + if ( strcasecmp( cargv[1], "on" ) == 0 ) { + global_restrictops |= SLAP_RESTRICT_OP_WRITES; + } else { + global_restrictops &= ~SLAP_RESTRICT_OP_WRITES; + } } else { if ( strcasecmp( cargv[1], "on" ) == 0 ) { - be->be_readonly = 1; + be->be_restrictops |= SLAP_RESTRICT_OP_WRITES; } else { - be->be_readonly = 0; + be->be_restrictops &= ~SLAP_RESTRICT_OP_WRITES; } } + + /* disallow these features */ + } else if ( strcasecmp( cargv[0], "disallows" ) == 0 || + strcasecmp( cargv[0], "disallow" ) == 0 ) + { + slap_mask_t disallows; + + if ( be != NULL ) { + Debug( LDAP_DEBUG_ANY, +"%s: line %d: disallow line must appear prior to database definitions\n", + fname, lineno, 0 ); + } + + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing feature(s) in \"disallows \" line\n", + fname, lineno, 0 ); + return( 1 ); + } + + disallows = 0; + + for( i=1; i < cargc; i++ ) { + if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_V2; + + } else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_ANON_CRED; + + } else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_ANON_DN; + + } else if( strcasecmp( cargv[i], "none" ) != 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unknown feature %s in \"disallow \" line\n", + fname, lineno, cargv[i] ); + return( 1 ); + } + } + + global_disallows = disallows; + + /* require these features */ + } else if ( strcasecmp( cargv[0], "requires" ) == 0 || + strcasecmp( cargv[0], "require" ) == 0 ) + { + slap_mask_t requires; + + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing feature(s) in \"require \" line\n", + fname, lineno, 0 ); + return( 1 ); + } + + requires = 0; + + for( i=1; i < cargc; i++ ) { + if( strcasecmp( cargv[i], "bind" ) == 0 ) { + requires |= SLAP_REQUIRE_BIND; + + } else if( strcasecmp( cargv[i], "LDAPv3" ) == 0 ) { + requires |= SLAP_REQUIRE_LDAP_V3; + + } else if( strcasecmp( cargv[i], "authc" ) == 0 ) { + requires |= SLAP_REQUIRE_AUTHC; + + } else if( strcasecmp( cargv[i], "SASL" ) == 0 ) { + requires |= SLAP_REQUIRE_SASL; + + } else if( strcasecmp( cargv[i], "strong" ) == 0 ) { + requires |= SLAP_REQUIRE_STRONG; + + } else if( strcasecmp( cargv[i], "none" ) != 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unknown feature %s in \"require \" line\n", + fname, lineno, cargv[i] ); + return( 1 ); + } + } + + if ( be == NULL ) { + global_requires = requires; + } else { + be->be_requires = requires; + } + + /* required security factors */ + } else if ( strcasecmp( cargv[0], "security" ) == 0 ) { + slap_ssf_set_t *set; + + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing factor(s) in \"security \" line\n", + fname, lineno, 0 ); + return( 1 ); + } + + if ( be == NULL ) { + set = &global_ssf_set; + } else { + set = &be->be_ssf_set; + } + + for( i=1; i < cargc; i++ ) { + if( strncasecmp( cargv[i], "ssf=", + sizeof("ssf") ) == 0 ) + { + set->sss_ssf = + atoi( &cargv[i][sizeof("ssf")] ); + + } else if( strncasecmp( cargv[i], "transport=", + sizeof("transport") ) == 0 ) + { + set->sss_transport = + atoi( &cargv[i][sizeof("transport")] ); + + } else if( strncasecmp( cargv[i], "tls=", + sizeof("tls") ) == 0 ) + { + set->sss_tls = + atoi( &cargv[i][sizeof("tls")] ); + + } else if( strncasecmp( cargv[i], "sasl=", + sizeof("sasl") ) == 0 ) + { + set->sss_sasl = + atoi( &cargv[i][sizeof("sasl")] ); + + } else if( strncasecmp( cargv[i], "update_ssf=", + sizeof("update_ssf") ) == 0 ) + { + set->sss_update_ssf = + atoi( &cargv[i][sizeof("update_ssf")] ); + + } else if( strncasecmp( cargv[i], "update_transport=", + sizeof("update_transport") ) == 0 ) + { + set->sss_update_transport = + atoi( &cargv[i][sizeof("update_transport")] ); + + } else if( strncasecmp( cargv[i], "update_tls=", + sizeof("update_tls") ) == 0 ) + { + set->sss_update_tls = + atoi( &cargv[i][sizeof("update_tls")] ); + + } else if( strncasecmp( cargv[i], "update_sasl=", + sizeof("update_sasl") ) == 0 ) + { + set->sss_update_sasl = + atoi( &cargv[i][sizeof("update_sasl")] ); + + } else { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unknown factor %s in \"security \" line\n", + fname, lineno, cargv[i] ); + return( 1 ); + } + } + + /* where to send clients when we don't hold it */ } else if ( strcasecmp( cargv[0], "referral" ) == 0 ) { if ( cargc < 2 ) { @@ -556,7 +743,12 @@ read_config( const char *fname ) fname, lineno, 0 ); return( 1 ); } - ldap_syslog = atoi( cargv[1] ); + + ldap_syslog = 0; + + for( i=1; i < cargc; i++ ) { + ldap_syslog += atoi( cargv[1] ); + } /* list of replicas of the data in this backend (master only) */ } else if ( strcasecmp( cargv[0], "replica" ) == 0 ) { diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index 4d2c62ef2e..144482857b 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -425,8 +425,8 @@ long connection_init( c->c_n_read = 0; c->c_n_write = 0; - /* assume LDAPv3 until bind */ - c->c_protocol = LDAP_VERSION3; + /* set to zero until bind, implies LDAP_VERSION3 */ + c->c_protocol = 0; c->c_activitytime = c->c_starttime = slap_get_time(); @@ -449,6 +449,9 @@ long connection_init( c->c_conn_state = SLAP_C_INACTIVE; c->c_struct_state = SLAP_C_USED; + c->c_ssf = c->c_transport_ssf = ssf; + c->c_tls_ssf = 0; + #ifdef HAVE_TLS if ( use_tls ) { c->c_is_tls = 1; @@ -458,6 +461,7 @@ long connection_init( c->c_needs_tls_accept = 0; } #endif + slap_sasl_open( c ); slap_sasl_external( c, ssf, authid ); @@ -905,6 +909,7 @@ int connection_read(ber_socket_t s) /* connections_mutex and c_mutex are locked */ connection_closing( c ); +#if 0 /* Drain input before close, to allow SSL error codes * to propagate to client. */ FD_ZERO(&rfd); @@ -918,20 +923,25 @@ int connection_read(ber_socket_t s) ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_DRAIN, NULL); } +#endif connection_close( c ); } else if ( rc == 0 ) { void *ssl; - slap_ssf_t ssf; char *authid; c->c_needs_tls_accept = 0; /* we need to let SASL know */ ssl = (void *)ldap_pvt_tls_sb_handle( c->c_sb ); - ssf = (slap_ssf_t) ldap_pvt_tls_get_strength( ssl ); + + c->c_tls_ssf = (slap_ssf_t) ldap_pvt_tls_get_strength( ssl ); + if( c->c_tls_ssf > c->c_ssf ) { + c->c_ssf = c->c_tls_ssf; + } + authid = (char *)ldap_pvt_tls_get_peer( ssl ); - slap_sasl_external( c, ssf, authid ); + slap_sasl_external( c, c->c_tls_ssf, authid ); } connection_return( c ); ldap_pvt_thread_mutex_unlock( &connections_mutex ); @@ -1143,7 +1153,8 @@ static int connection_op_activate( Connection *conn, Operation *op ) arg->co_op->o_ndn = ch_strdup( arg->co_op->o_dn ); (void) dn_normalize( arg->co_op->o_ndn ); - arg->co_op->o_protocol = conn->c_protocol; + arg->co_op->o_protocol = conn->c_protocol + ? conn->c_protocol : LDAP_VERSION3; arg->co_op->o_connid = conn->c_connid; arg->co_op->o_authtype = conn->c_authtype; diff --git a/servers/slapd/delete.c b/servers/slapd/delete.c index d086e1fde1..d3bb5d96fa 100644 --- a/servers/slapd/delete.c +++ b/servers/slapd/delete.c @@ -79,8 +79,8 @@ do_delete( goto cleanup; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); @@ -93,14 +93,6 @@ do_delete( goto cleanup; } - if ( global_readonly || be->be_readonly ) { - Debug( LDAP_DEBUG_ANY, "do_delete: database is read-only\n", - 0, 0, 0 ); - send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, - NULL, "directory is read-only", NULL, NULL ); - goto cleanup; - } - /* deref suffix alias if appropriate */ ndn = suffix_alias( be, ndn ); diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c index 4aa04f3dfb..2999910f78 100644 --- a/servers/slapd/filter.c +++ b/servers/slapd/filter.c @@ -699,18 +699,11 @@ int filter_escape_value( out->bv_val = (char *) ch_malloc( ( in->bv_len * 3 ) + 1 ); out->bv_len = 0; -#undef NIBBLE -#undef ESCAPE_LO -#undef ESCAPE_HI -#define NIBBLE(c) ((c)&0x0f) -#define ESCAPE_LO(c) ( NIBBLE(c) + ( NIBBLE(c) < 10 ? '0' : 'A' - 10 ) ) -#define ESCAPE_HI(c) ( ESCAPE_LO((c)>>4) ) - for( i=0; i < in->bv_len ; i++ ) { if( FILTER_ESCAPE(in->bv_val[i]) ) { - out->bv_val[out->bv_len++] = '\\'; - out->bv_val[out->bv_len++] = ESCAPE_HI( in->bv_val[i] ); - out->bv_val[out->bv_len++] = ESCAPE_LO( in->bv_val[i] ); + out->bv_val[out->bv_len++] = SLAP_ESCAPE_CHAR; + out->bv_val[out->bv_len++] = SLAP_ESCAPE_HI( in->bv_val[i] ); + out->bv_val[out->bv_len++] = SLAP_ESCAPE_LO( in->bv_val[i] ); } else { out->bv_val[out->bv_len++] = in->bv_val[i]; } @@ -719,5 +712,3 @@ int filter_escape_value( out->bv_val[out->bv_len] = '\0'; return LDAP_SUCCESS; } - - diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c index 96f60159fb..a21ad0b2a6 100644 --- a/servers/slapd/modify.c +++ b/servers/slapd/modify.c @@ -169,8 +169,8 @@ do_modify( goto cleanup; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); @@ -183,14 +183,6 @@ do_modify( goto cleanup; } - if ( global_readonly || be->be_readonly ) { - Debug( LDAP_DEBUG_ANY, "do_modify: database is read-only\n", - 0, 0, 0 ); - send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, - NULL, "directory is read-only", NULL, NULL ); - goto cleanup; - } - /* deref suffix alias if appropriate */ ndn = suffix_alias( be, ndn ); diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c index b77e7d8f23..e5acfd1f83 100644 --- a/servers/slapd/modrdn.c +++ b/servers/slapd/modrdn.c @@ -165,8 +165,8 @@ do_modrdn( goto cleanup; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); @@ -179,14 +179,6 @@ do_modrdn( goto cleanup; } - if ( global_readonly || be->be_readonly ) { - Debug( LDAP_DEBUG_ANY, "do_modrdn: database is read-only\n", - 0, 0, 0 ); - send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, - NULL, "database is read-only", NULL, NULL ); - goto cleanup; - } - /* Make sure that the entry being changed and the newSuperior are in * the same backend, otherwise we return an error. */ diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c index 7580f7c661..547fb44c22 100644 --- a/servers/slapd/passwd.c +++ b/servers/slapd/passwd.c @@ -38,9 +38,8 @@ int passwd_extop( return LDAP_STRONG_AUTH_REQUIRED; } - if( conn->c_authz_backend != NULL && conn->c_authz_backend->be_extended ) - { - if( global_readonly || conn->c_authz_backend->be_readonly ) { + if( conn->c_authz_backend != NULL && conn->c_authz_backend->be_extended ) { + if( conn->c_authz_backend->be_restrictops & SLAP_RESTRICT_OP_MODIFY ) { *text = "authorization database is read only"; rc = LDAP_UNWILLING_TO_PERFORM; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index e54ed9aa56..5789dc7925 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -159,10 +159,11 @@ LDAP_SLAPD_F (int) be_entry_release_rw LDAP_P(( Backend *be, Entry *e, int rw )) LDAP_SLAPD_F (int) backend_unbind LDAP_P((Connection *conn, Operation *op)); -LDAP_SLAPD_F( int ) backend_check_controls LDAP_P(( +LDAP_SLAPD_F( int ) backend_check_restrictions LDAP_P(( Backend *be, Connection *conn, Operation *op, + const char *extoid, const char **text )); LDAP_SLAPD_F( int ) backend_check_referrals LDAP_P(( @@ -751,6 +752,11 @@ LDAP_SLAPD_F (int) krbv4_ldap_auth(); * Other... */ +LDAP_SLAPD_F (slap_mask_t) global_restrictops; +LDAP_SLAPD_F (slap_mask_t) global_disallows; +LDAP_SLAPD_F (slap_mask_t) global_requires; +LDAP_SLAPD_F (slap_ssf_set_t) global_ssf_set; + LDAP_SLAPD_F (struct berval **) default_referral; LDAP_SLAPD_F (char *) replogfile; LDAP_SLAPD_F (const char) Versionstr[]; @@ -758,10 +764,10 @@ LDAP_SLAPD_F (int) defsize; LDAP_SLAPD_F (int) deftime; LDAP_SLAPD_F (int) g_argc; LDAP_SLAPD_F (slap_access_t) global_default_access; -LDAP_SLAPD_F (int) global_readonly; LDAP_SLAPD_F (int) global_lastmod; LDAP_SLAPD_F (int) global_idletimeout; LDAP_SLAPD_F (int) global_schemacheck; +LDAP_SLAPD_F (char) *global_host; LDAP_SLAPD_F (char) *global_realm; LDAP_SLAPD_F (char) *default_passwd_hash; LDAP_SLAPD_F (int) lber_debug; diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 7363716c92..f776f7d44d 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -25,7 +25,6 @@ #include #endif -static char *sasl_host = NULL; static sasl_security_properties_t sasl_secprops; @@ -195,13 +194,8 @@ int slap_sasl_init( void ) return -1; } - if( sasl_host == NULL ) { - sasl_host = ldap_pvt_get_fqdn( NULL ); - } - - Debug( LDAP_DEBUG_TRACE, - "slap_sasl_init: %s initialized!\n", - sasl_host, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n", + 0, 0, 0 ); /* default security properties */ memset( &sasl_secprops, '\0', sizeof(sasl_secprops) ); @@ -259,8 +253,12 @@ int slap_sasl_open( Connection *conn ) session_callbacks[2].proc = NULL; session_callbacks[2].context = NULL; + if( global_host == NULL ) { + global_host = ldap_pvt_get_fqdn( NULL ); + } + /* create new SASL context */ - sc = sasl_server_new( "ldap", sasl_host, global_realm, + sc = sasl_server_new( "ldap", global_host, global_realm, session_callbacks, SASL_SECURITY_LAYER, &ctx ); if( sc != SASL_OK ) { diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index d3bcb00bdf..bfafb99695 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -2306,7 +2306,7 @@ struct syntax_defs_rec syntax_defs[] = { struct mrule_defs_rec { char * mrd_desc; - unsigned mrd_usage; + slap_mask_t mrd_usage; slap_mr_convert_func * mrd_convert; slap_mr_normalize_func * mrd_normalize; slap_mr_match_func * mrd_match; diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c index 4a6cd313f8..ecb2ff1f13 100644 --- a/servers/slapd/schema_prep.c +++ b/servers/slapd/schema_prep.c @@ -26,7 +26,7 @@ struct slap_internal_schema slap_schema; static int objectClassMatch( int *matchp, - unsigned flags, + slap_mask_t flags, Syntax *syntax, MatchingRule *mr, struct berval *value, @@ -72,7 +72,7 @@ objectClassMatch( static int structuralObjectClassMatch( int *matchp, - unsigned flags, + slap_mask_t flags, Syntax *syntax, MatchingRule *mr, struct berval *value, diff --git a/servers/slapd/search.c b/servers/slapd/search.c index 653fb886fa..92e36b0ab8 100644 --- a/servers/slapd/search.c +++ b/servers/slapd/search.c @@ -214,8 +214,8 @@ do_search( goto return_results; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 83f927e19d..2129015b93 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -75,9 +75,15 @@ LDAP_BEGIN_DECL #define ASCII_ALPHA(c) ( ASCII_LOWER(c) || ASCII_UPPER(c) ) #define ASCII_DIGIT(c) ( (c) >= '0' && (c) <= '9' ) #define ASCII_ALNUM(c) ( ASCII_ALPHA(c) || ASCII_DIGIT(c) ) - #define ASCII_PRINTABLE(c) ( (c) >= ' ' && (c) <= '~' ) -#define FILTER_ESCAPE(c) ( (c) == '\\' || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) ) + +#define SLAP_NIBBLE(c) ((c)&0x0f) +#define SLAP_ESCAPE_CHAR ('\\') +#define SLAP_ESCAPE_LO(c) ( "0123456789ABCDEF"[SLAP_NIBBLE(c)] ) +#define SLAP_ESCAPE_HI(c) ( SLAP_ESCAPE_LO((c)>>4) ) + +#define FILTER_ESCAPE(c) ( (c) == '*' || (c) == '\\' \ + || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) ) #define DN_SEPARATOR(c) ((c) == ',' || (c) == ';') #define RDN_SEPARATOR(c) ((c) == ',' || (c) == ';' || (c) == '+') @@ -114,9 +120,21 @@ LDAP_BEGIN_DECL LDAP_SLAPD_F (int) slap_debug; -typedef unsigned slap_ssf_t; typedef unsigned long slap_mask_t; +/* Security Strength Factor */ +typedef unsigned slap_ssf_t; + +typedef struct slap_ssf_set { + slap_ssf_t sss_ssf; + slap_ssf_t sss_transport; + slap_ssf_t sss_tls; + slap_ssf_t sss_sasl; + slap_ssf_t sss_update_ssf; + slap_ssf_t sss_update_transport; + slap_ssf_t sss_update_tls; + slap_ssf_t sss_update_sasl; +} slap_ssf_set_t; /* * Index types @@ -619,6 +637,18 @@ typedef enum slap_style_e { ACL_STYLE_EXACT = ACL_STYLE_BASE } slap_style_t; +typedef struct slap_authz_info { + ber_tag_t sai_method; /* LDAP_AUTH_* from */ + char * sai_mech; /* SASL Mechanism */ + char * sai_dn; /* DN for reporting purposes */ + char * sai_ndn; /* Normalized DN */ + + /* Security Strength Factors */ + slap_ssf_t sai_ssf; /* Overall SSF */ + slap_ssf_t sai_transport_ssf; /* Transport SSF */ + slap_ssf_t sai_tls_ssf; /* TLS SSF */ + slap_ssf_t sai_sasl_ssf; /* SASL SSF */ +} AuthorizationInformation; /* the "by" part */ typedef struct slap_access { @@ -683,8 +713,10 @@ typedef struct slap_access { slap_mask_t a_access_mask; + AuthorizationInformation a_authz; +#define a_dn_pat a_authz.sai_dn + slap_style_t a_dn_style; - char *a_dn_pat; AttributeDescription *a_dn_at; int a_dn_self; @@ -802,6 +834,43 @@ struct slap_backend_db { #define be_sync bd_info->bi_tool_sync #endif + slap_mask_t be_restrictops; /* restriction operations */ +#define SLAP_RESTRICT_OP_ADD 0x0001U +#define SLAP_RESTRICT_OP_BIND 0x0002U +#define SLAP_RESTRICT_OP_COMPARE 0x0004U +#define SLAP_RESTRICT_OP_DELETE 0x0008U +#define SLAP_RESTRICT_OP_EXTENDED 0x0010U +#define SLAP_RESTRICT_OP_MODIFY 0x0020U +#define SLAP_RESTRICT_OP_RENAME 0x0040U +#define SLAP_RESTRICT_OP_SEARCH 0x0080U + +#define SLAP_RESTRICT_OP_READS \ + ( SLAP_RESTRICT_OP_COMPARE \ + | SLAP_RESTRICT_OP_SEARCH ) +#define SLAP_RESTRICT_OP_WRITES \ + ( SLAP_RESTRICT_OP_ADD \ + | SLAP_RESTRICT_OP_DELETE \ + | SLAP_RESTRICT_OP_MODIFY \ + | SLAP_RESTRICT_OP_RENAME ) + +#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ +#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */ +#define SLAP_DISALLOW_BIND_ANON_CRED \ + 0x0004U /* cred should be empty */ +#define SLAP_DISALLOW_BIND_ANON_DN \ + 0x0008U /* dn should be empty */ + + slap_mask_t be_requires; /* pre-operation requirements */ +#define SLAP_REQUIRE_BIND 0x0001U /* bind before op */ +#define SLAP_REQUIRE_LDAP_V3 0x0002U /* LDAPv3 before op */ +#define SLAP_REQUIRE_AUTHC 0x0004U /* authentication before op */ +#define SLAP_REQUIRE_SASL 0x0008U /* SASL before op */ +#define SLAP_REQUIRE_STRONG 0x0010U /* strong authentication before op */ + + + /* Required Security Strength Factor */ + slap_ssf_set_t be_ssf_set; + /* these should be renamed from be_ to bd_ */ char **be_suffix; /* the DN suffixes of data in this backend */ char **be_nsuffix; /* the normalized DN suffixes in this backend */ @@ -809,7 +878,6 @@ struct slap_backend_db { char *be_root_dn; /* the magic "root" dn for this db */ char *be_root_ndn; /* the magic "root" normalized dn for this db */ struct berval be_root_pw; /* the magic "root" password for this db */ - int be_readonly; /* 1 => db is in "read only" mode */ unsigned int be_max_deref_depth; /* limit for depth of an alias deref */ int be_sizelimit; /* size limit for this backend */ int be_timelimit; /* time limit for this backend */ @@ -980,22 +1048,22 @@ struct slap_backend_info { void *bi_private; /* anything the backend type needs */ }; -typedef struct slap_authz_info { - unsigned sai_ssf; /* Security Strength Factor */ - ber_tag_t sai_method; /* LDAP_AUTH_* from */ - char * sai_mech; /* SASL Mechanism */ - char * sai_dn; /* DN for reporting purposes */ - char * sai_ndn; /* Normalized DN */ -} AuthorizationInformation; - #define c_authtype c_authz.sai_method #define c_authmech c_authz.sai_mech #define c_dn c_authz.sai_dn +#define c_ssf c_authz.sai_ssf +#define c_transport_ssf c_authz.sai_transport_ssf +#define c_tls_ssf c_authz.sai_tls_ssf +#define c_sasl_ssf c_authz.sai_sasl_ssf #define o_authtype o_authz.sai_method #define o_authmech o_authz.sai_mech #define o_dn o_authz.sai_dn #define o_ndn o_authz.sai_ndn +#define o_ssf o_authz.sai_ssf +#define o_transport_ssf o_authz.sai_transport_ssf +#define o_tls_ssf o_authz.sai_tls_ssf +#define o_sasl_ssf o_authz.sai_sasl_ssf /* * represents an operation pending from an ldap client diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c index f59f15adb4..bd12f32c73 100644 --- a/servers/slapd/starttls.c +++ b/servers/slapd/starttls.c @@ -49,6 +49,16 @@ starttls_extop ( goto done; } + /* can't start TLS if there are other op's around */ + if (( conn->c_ops != NULL && + (conn->c_ops != op || op->o_next != NULL)) || + ( conn->c_pending_ops != NULL)) + { + *text = "cannot start TLS when operations our outstanding"; + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + /* fail if TLS could not be initialized */ if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0 || ctx == NULL) @@ -64,16 +74,6 @@ starttls_extop ( goto done; } - /* can't start TLS if there are other op's around */ - if (( conn->c_ops != NULL && - (conn->c_ops != op || op->o_next != NULL)) || - ( conn->c_pending_ops != NULL)) - { - *text = "cannot start TLS when operations our outstanding"; - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - conn->c_is_tls = 1; conn->c_needs_tls_accept = 1; -- 2.39.5