From bf3df2f7a65bd6376ab709a4fc58523e4bb8121d Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Mon, 28 Aug 2000 18:38:48 +0000 Subject: [PATCH] restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow... --- servers/slapd/acl.c | 39 ++++++++ servers/slapd/aclparse.c | 123 +++++++++++++++++++++++ servers/slapd/add.c | 12 +-- servers/slapd/backend.c | 195 +++++++++++++++++++++++++++++++++++-- servers/slapd/bind.c | 43 +++++++- servers/slapd/compare.c | 4 +- servers/slapd/config.c | 186 +++++++++++++++++++++++++++++++++-- servers/slapd/connection.c | 21 ++-- servers/slapd/delete.c | 12 +-- servers/slapd/filter.c | 15 +-- servers/slapd/modify.c | 12 +-- servers/slapd/modrdn.c | 12 +-- servers/slapd/passwd.c | 5 +- servers/slapd/proto-slap.h | 9 +- servers/slapd/search.c | 4 +- servers/slapd/slap.h | 94 +++++++++++++++--- 16 files changed, 688 insertions(+), 98 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index f5dbbcd75f..2e18ce48b2 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -636,6 +636,45 @@ acl_mask( } } + if ( b->a_authz.sai_ssf ) { + Debug( LDAP_DEBUG_ACL, "<= check a_authz.sai_ssf: %ud\n", + b->a_authz.sai_ssf, 0, 0 ); + + if ( b->a_authz.sai_ssf > op->o_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_transport_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_transport_ssf: %ud\n", + b->a_authz.sai_transport_ssf, 0, 0 ); + + if ( b->a_authz.sai_transport_ssf > op->o_transport_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_tls_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_tls_ssf: %ud\n", + b->a_authz.sai_tls_ssf, 0, 0 ); + + if ( b->a_authz.sai_tls_ssf > op->o_tls_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_sasl_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_sasl_ssf: %ud\n", + b->a_authz.sai_sasl_ssf, 0, 0 ); + + if ( b->a_authz.sai_sasl_ssf > op->o_sasl_ssf ) { + continue; + } + } + #ifdef SLAPD_ACI_ENABLED if ( b->a_aci_at != NULL ) { Attribute *at; diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index ea8f6b9eed..54661b75da 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -672,6 +672,110 @@ parse_acl( } #endif /* SLAPD_ACI_ENABLED */ + if ( strcasecmp( left, "ssf" ) == 0 ) { + if( b->a_authz.sai_ssf ) { + fprintf( stderr, + "%s: line %d: ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_ssf = atoi( right ); + + if( !b->a_authz.sai_ssf ) { + fprintf( stderr, + "%s: line %d: invalid ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "transport_ssf" ) == 0 ) { + if( b->a_authz.sai_transport_ssf ) { + fprintf( stderr, + "%s: line %d: transport_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no transport_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_transport_ssf = atoi( right ); + + if( !b->a_authz.sai_transport_ssf ) { + fprintf( stderr, + "%s: line %d: invalid transport_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "tls_ssf" ) == 0 ) { + if( b->a_authz.sai_tls_ssf ) { + fprintf( stderr, + "%s: line %d: tls_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no tls_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_tls_ssf = atoi( right ); + + if( !b->a_authz.sai_tls_ssf ) { + fprintf( stderr, + "%s: line %d: invalid tls_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "sasl_ssf" ) == 0 ) { + if( b->a_authz.sai_sasl_ssf ) { + fprintf( stderr, + "%s: line %d: sasl_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no sasl_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_sasl_ssf = atoi( right ); + + if( !b->a_authz.sai_sasl_ssf ) { + fprintf( stderr, + "%s: line %d: invalid sasl_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + if( right != NULL ) { /* unsplit */ right[-1] = '='; @@ -969,6 +1073,7 @@ acl_usage( void ) #ifdef SLAPD_ACI_ENABLED "\t[aci=]\n" #endif + "\t[ssf=] [transport_ssf=] [tls_ssf=] [sasl_ssf=]\n" " ::= [self]{|}\n" " ::= none | auth | compare | search | read | write\n" " ::= {=|+|-}{w|r|s|c|x}+\n" @@ -1129,6 +1234,24 @@ print_access( Access *b ) } #endif + /* Security Strength Factors */ + if ( b->a_authz.sai_ssf ) { + fprintf( stderr, " ssf=%ud", + b->a_authz.sai_ssf ); + } + if ( b->a_authz.sai_transport_ssf ) { + fprintf( stderr, " transport_ssf=%ud", + b->a_authz.sai_transport_ssf ); + } + if ( b->a_authz.sai_tls_ssf ) { + fprintf( stderr, " tls_ssf=%ud", + b->a_authz.sai_tls_ssf ); + } + if ( b->a_authz.sai_sasl_ssf ) { + fprintf( stderr, " sasl_ssf=%ud", + b->a_authz.sai_sasl_ssf ); + } + fprintf( stderr, " %s%s", b->a_dn_self ? "self" : "", accessmask2str( b->a_access_mask, maskbuf ) ); diff --git a/servers/slapd/add.c b/servers/slapd/add.c index d159ea8631..de88b57f86 100644 --- a/servers/slapd/add.c +++ b/servers/slapd/add.c @@ -154,8 +154,8 @@ do_add( Connection *conn, Operation *op ) goto done; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); @@ -168,14 +168,6 @@ do_add( Connection *conn, Operation *op ) goto done; } - if ( global_readonly || be->be_readonly ) { - Debug( LDAP_DEBUG_ANY, "do_add: database is read-only\n", - 0, 0, 0 ); - send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, - NULL, "directory is read-only", NULL, NULL ); - goto done; - } - /* * do the add if 1 && (2 || 3) * 1) there is an add function implemented in this backend; diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index b57bd3684d..ca38d9f330 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -39,12 +39,12 @@ #ifdef SLAPD_TCL #include "back-tcl/external.h" #endif -#ifdef SLAPD_NTDOMAIN -#include "back-domain/external.h" -#endif #ifdef SLAPD_SQL #include "back-sql/external.h" #endif +#ifdef SLAPD_PRIVATE +#include "private/external.h" +#endif static BackendInfo binfo[] = { #if defined(SLAPD_DNSSRV) && !defined(SLAPD_DNSSRV_DYNAMIC) @@ -68,11 +68,12 @@ static BackendInfo binfo[] = { #if defined(SLAPD_TCL) && !defined(SLAPD_TCL_DYNAMIC) {"tcl", tcl_back_initialize}, #endif -#if defined(SLAPD_NTDOMAIN) && !defined(SLAPD_NTDOMAIN_DYNAMIC) - {"ntdom", domain_back_initialize}, -#endif #if defined(SLAPD_SQL) && !defined(SLAPD_SQL_DYNAMIC) {"sql", sql_back_initialize}, +#endif + /* for any private backend */ +#if defined(SLAPD_PRIVATE) && !defined(SLAPD_PRIVATE_DYNAMIC) + {"private", private_back_initialize}, #endif {NULL} }; @@ -393,6 +394,9 @@ backend_db_init( be->be_timelimit = deftime; be->be_dfltaccess = global_default_access; + be->be_restrictops = global_restrictops; + be->be_requires = global_requires; + /* assign a default depth limit for alias deref */ be->be_max_deref_depth = SLAPD_DEFAULT_MAXDEREFDEPTH; @@ -584,7 +588,7 @@ backend_connection_destroy( return 0; } -int +static int backend_check_controls( Backend *be, Connection *conn, @@ -609,6 +613,183 @@ backend_check_controls( return LDAP_SUCCESS; } +int +backend_check_restrictions( + Backend *be, + Connection *conn, + Operation *op, + const char *extoid, + const char **text ) +{ + int rc; + slap_mask_t restrictops; + slap_mask_t requires; + slap_mask_t opflag; + slap_ssf_set_t *ssf; + int updateop = 0; + + if( be ) { + rc = backend_check_controls( be, conn, op, text ); + + if( rc != LDAP_SUCCESS ) { + return rc; + } + + restrictops = be->be_restrictops; + requires = be->be_requires; + ssf = &be->be_ssf_set; + + } else { + restrictops = global_restrictops; + requires = global_requires; + ssf = &global_ssf_set; + } + + switch( op->o_tag ) { + case LDAP_REQ_ADD: + opflag = SLAP_RESTRICT_OP_ADD; + updateop++; + break; + case LDAP_REQ_BIND: + opflag = SLAP_RESTRICT_OP_BIND; + break; + case LDAP_REQ_COMPARE: + opflag = SLAP_RESTRICT_OP_COMPARE; + break; + case LDAP_REQ_DELETE: + updateop++; + opflag = SLAP_RESTRICT_OP_DELETE; + break; + case LDAP_REQ_EXTENDED: + opflag = SLAP_RESTRICT_OP_EXTENDED; + break; + case LDAP_REQ_MODIFY: + updateop++; + opflag = SLAP_RESTRICT_OP_MODIFY; + break; + case LDAP_REQ_RENAME: + updateop++; + opflag = SLAP_RESTRICT_OP_RENAME; + break; + case LDAP_REQ_SEARCH: + opflag = SLAP_RESTRICT_OP_SEARCH; + break; + case LDAP_REQ_UNBIND: + opflag = 0; + break; + default: + *text = "restrict operations internal error"; + return LDAP_OTHER; + } + + if( ( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) ) + && op->o_tag != LDAP_REQ_BIND ) + { + /* these checks don't apply to bind nor StartTLS */ + + if( op->o_tag == LDAP_REQ_EXTENDED ) { + /* threat other extended operations as update ops */ + updateop++; + } + + if( op->o_ssf < ssf->sss_ssf ) { + *text = "confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_transport_ssf < ssf->sss_transport ) { + *text = "transport confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_tls_ssf < ssf->sss_tls ) { + *text = "TLS confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_sasl_ssf < ssf->sss_sasl ) { + *text = "SASL confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + + if( updateop ) { + if( op->o_ssf < ssf->sss_update_ssf ) { + *text = "update confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_transport_ssf < ssf->sss_update_transport ) { + *text = "transport update confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_tls_ssf < ssf->sss_update_tls ) { + *text = "TLS update confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + if( op->o_sasl_ssf < ssf->sss_update_sasl ) { + *text = "SASL update confidentiality required"; + return LDAP_CONFIDENTIALITY_REQUIRED; + } + } + + if( requires & SLAP_REQUIRE_STRONG ) { + /* should check mechanism */ + if( op->o_authmech == NULL || + op->o_dn == NULL || *op->o_dn == '\0' ) + { + *text = "SASL authentication required"; + return LDAP_STRONG_AUTH_REQUIRED; + } + } + + if( requires & SLAP_REQUIRE_SASL ) { + if( op->o_authmech == NULL || + op->o_dn == NULL || *op->o_dn == '\0' ) + { + *text = "SASL authentication required"; + return LDAP_STRONG_AUTH_REQUIRED; + } + } + + if( requires & SLAP_REQUIRE_AUTHC ) { + if( op->o_dn == NULL || *op->o_dn == '\0' ) { + *text = "authentication required"; + return LDAP_UNWILLING_TO_PERFORM; + } + } + + if( requires & SLAP_REQUIRE_BIND ) { + int version; + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + version = conn->c_protocol; + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + + if( !version ) { + /* no bind has occurred */ + *text = "BIND required"; + return LDAP_OPERATIONS_ERROR; + } + } + + if( requires & SLAP_REQUIRE_LDAP_V3 ) { + if( op->o_protocol < LDAP_VERSION3 ) { + /* no bind has occurred */ + *text = "operation restricted to LDAPv3 clients"; + return LDAP_OPERATIONS_ERROR; + } + } + } + + if( restrictops & opflag ) { + if( (restrictops & SLAP_RESTRICT_OP_READS) + == SLAP_RESTRICT_OP_READS ) + { + *text = "read operations restricted"; + } else { + *text = "operation restricted"; + } + return LDAP_UNWILLING_TO_PERFORM; + } + + return LDAP_SUCCESS; +} + int backend_check_referrals( Backend *be, Connection *conn, diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 294c851ce7..446104f6ed 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -59,6 +59,11 @@ do_bind( * Force to connection to "anonymous" until bind succeeds. */ + if ( conn->c_authmech != NULL ) { + free( conn->c_authmech ); + conn->c_authmech = NULL; + } + if ( conn->c_cdn != NULL ) { free( conn->c_cdn ); conn->c_cdn = NULL; @@ -175,6 +180,13 @@ do_bind( send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, NULL, "requested protocol version not supported", NULL, NULL ); goto cleanup; + + } else if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) && + version < LDAP_VERSION3 ) + { + send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, + NULL, "requested protocol version not allowed", NULL, NULL ); + goto cleanup; } /* we set connection version regardless of whether bind succeeds @@ -269,12 +281,34 @@ do_bind( /* accept "anonymous" binds */ if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) { + rc = LDAP_SUCCESS; + text = NULL; + + if( cred.bv_len && + ( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED )) + { + /* cred is not empty, disallow */ + rc = LDAP_INVALID_CREDENTIALS; + + } else if ( ndn != NULL && *ndn != '\0' && + ( global_disallows & SLAP_DISALLOW_BIND_ANON_DN )) + { + /* DN is not empty, disallow */ + rc = LDAP_UNWILLING_TO_PERFORM; + text = "unwilling to allow anonymous bind with non-empty DN"; + + } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) { + /* disallow */ + rc = LDAP_UNWILLING_TO_PERFORM; + text = "anonymous bind disallowed"; + } + /* * we already forced connection to "anonymous", * just need to send success */ - send_ldap_result( conn, op, LDAP_SUCCESS, - NULL, NULL, NULL, NULL ); + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n", version, 0, 0 ); goto cleanup; @@ -302,9 +336,8 @@ do_bind( conn->c_authz_backend = be; - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; - + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); diff --git a/servers/slapd/compare.c b/servers/slapd/compare.c index b8c93fc132..4caa3be6c1 100644 --- a/servers/slapd/compare.c +++ b/servers/slapd/compare.c @@ -105,8 +105,8 @@ do_compare( goto cleanup; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 01ee0a1cd7..86c85ccec5 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -16,7 +16,7 @@ #include "ldap_pvt.h" #include "slap.h" -#define MAXARGS 100 +#define MAXARGS 128 /* * defaults for various global variables @@ -25,7 +25,10 @@ int defsize = SLAPD_DEFAULT_SIZELIMIT; int deftime = SLAPD_DEFAULT_TIMELIMIT; AccessControl *global_acl = NULL; slap_access_t global_default_access = ACL_READ; -int global_readonly = 0; +slap_mask_t global_restrictops = 0; +slap_mask_t global_disallows = 0; +slap_mask_t global_requires = 0; +slap_ssf_set_t global_ssf_set; char *replogfile; int global_lastmod = ON; int global_idletimeout = 0; @@ -451,15 +454,181 @@ read_config( const char *fname ) return( 1 ); } if ( be == NULL ) { - global_readonly = (strcasecmp( cargv[1], "on" ) == 0); + if ( strcasecmp( cargv[1], "on" ) == 0 ) { + global_restrictops |= SLAP_RESTRICT_OP_WRITES; + } else { + global_restrictops &= ~SLAP_RESTRICT_OP_WRITES; + } } else { if ( strcasecmp( cargv[1], "on" ) == 0 ) { - be->be_readonly = 1; + be->be_restrictops |= SLAP_RESTRICT_OP_WRITES; } else { - be->be_readonly = 0; + be->be_restrictops &= ~SLAP_RESTRICT_OP_WRITES; + } + } + + + /* disallow these features */ + } else if ( strcasecmp( cargv[0], "disallows" ) == 0 || + strcasecmp( cargv[0], "disallow" ) == 0 ) + { + slap_mask_t disallows; + + if ( be != NULL ) { + Debug( LDAP_DEBUG_ANY, +"%s: line %d: disallow line must appear prior to database definitions\n", + fname, lineno, 0 ); + } + + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing feature(s) in \"disallows \" line\n", + fname, lineno, 0 ); + return( 1 ); + } + + disallows = 0; + + for( i=1; i < cargc; i++ ) { + if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_V2; + + } else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_ANON_CRED; + + } else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_ANON_DN; + + } else if( strcasecmp( cargv[i], "none" ) != 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unknown feature %s in \"disallow \" line\n", + fname, lineno, cargv[i] ); + return( 1 ); } } + global_disallows = disallows; + + /* require these features */ + } else if ( strcasecmp( cargv[0], "requires" ) == 0 || + strcasecmp( cargv[0], "require" ) == 0 ) + { + slap_mask_t requires; + + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing feature(s) in \"requires \" line\n", + fname, lineno, 0 ); + return( 1 ); + } + + requires = 0; + + for( i=1; i < cargc; i++ ) { + if( strcasecmp( cargv[i], "bind" ) == 0 ) { + requires |= SLAP_REQUIRE_BIND; + + } else if( strcasecmp( cargv[i], "LDAPv3" ) == 0 ) { + requires |= SLAP_REQUIRE_LDAP_V3; + + } else if( strcasecmp( cargv[i], "authc" ) == 0 ) { + requires |= SLAP_REQUIRE_AUTHC; + + } else if( strcasecmp( cargv[i], "SASL" ) == 0 ) { + requires |= SLAP_REQUIRE_SASL; + + } else if( strcasecmp( cargv[i], "strong" ) == 0 ) { + requires |= SLAP_REQUIRE_STRONG; + + } else if( strcasecmp( cargv[i], "none" ) != 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unknown feature %s in \"requires \" line\n", + fname, lineno, cargv[i] ); + return( 1 ); + } + } + + if ( be == NULL ) { + global_requires = requires; + } else { + be->be_requires = requires; + } + + /* required security factors */ + } else if ( strcasecmp( cargv[0], "security" ) == 0 ) { + slap_ssf_set_t *set; + + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing factor(s) in \"security \" line\n", + fname, lineno, 0 ); + return( 1 ); + } + + if ( be == NULL ) { + set = &global_ssf_set; + } else { + set = &be->be_ssf_set; + } + + for( i=1; i < cargc; i++ ) { + if( strncasecmp( cargv[i], "ssf=", + sizeof("ssf") ) == 0 ) + { + set->sss_ssf = + atoi( &cargv[i][sizeof("ssf")] ); + + } else if( strncasecmp( cargv[i], "transport=", + sizeof("transport") ) == 0 ) + { + set->sss_transport = + atoi( &cargv[i][sizeof("transport")] ); + + } else if( strncasecmp( cargv[i], "tls=", + sizeof("tls") ) == 0 ) + { + set->sss_tls = + atoi( &cargv[i][sizeof("tls")] ); + + } else if( strncasecmp( cargv[i], "sasl=", + sizeof("sasl") ) == 0 ) + { + set->sss_sasl = + atoi( &cargv[i][sizeof("sasl")] ); + + } else if( strncasecmp( cargv[i], "update_ssf=", + sizeof("update_ssf") ) == 0 ) + { + set->sss_update_ssf = + atoi( &cargv[i][sizeof("update_ssf")] ); + + } else if( strncasecmp( cargv[i], "update_transport=", + sizeof("update_transport") ) == 0 ) + { + set->sss_update_transport = + atoi( &cargv[i][sizeof("update_transport")] ); + + } else if( strncasecmp( cargv[i], "update_tls=", + sizeof("update_tls") ) == 0 ) + { + set->sss_update_tls = + atoi( &cargv[i][sizeof("update_tls")] ); + + } else if( strncasecmp( cargv[i], "update_sasl=", + sizeof("update_sasl") ) == 0 ) + { + set->sss_update_sasl = + atoi( &cargv[i][sizeof("update_sasl")] ); + + } else { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unknown feature %s in \"requires \" line\n", + fname, lineno, cargv[i] ); + return( 1 ); + } + } + + /* where to send clients when we don't hold it */ } else if ( strcasecmp( cargv[0], "referral" ) == 0 ) { if ( cargc < 2 ) { @@ -556,7 +725,12 @@ read_config( const char *fname ) fname, lineno, 0 ); return( 1 ); } - ldap_syslog = atoi( cargv[1] ); + + ldap_syslog = 0; + + for( i=1; i < cargc; i++ ) { + ldap_syslog += atoi( cargv[1] ); + } /* list of replicas of the data in this backend (master only) */ } else if ( strcasecmp( cargv[0], "replica" ) == 0 ) { diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index 4d2c62ef2e..ecb3b69b70 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -425,8 +425,8 @@ long connection_init( c->c_n_read = 0; c->c_n_write = 0; - /* assume LDAPv3 until bind */ - c->c_protocol = LDAP_VERSION3; + /* set to zero until bind, implies LDAP_VERSION3 */ + c->c_protocol = 0; c->c_activitytime = c->c_starttime = slap_get_time(); @@ -449,6 +449,9 @@ long connection_init( c->c_conn_state = SLAP_C_INACTIVE; c->c_struct_state = SLAP_C_USED; + c->c_ssf = c->c_transport_ssf = ssf; + c->c_tls_ssf = 0; + #ifdef HAVE_TLS if ( use_tls ) { c->c_is_tls = 1; @@ -458,6 +461,7 @@ long connection_init( c->c_needs_tls_accept = 0; } #endif + slap_sasl_open( c ); slap_sasl_external( c, ssf, authid ); @@ -922,16 +926,20 @@ int connection_read(ber_socket_t s) } else if ( rc == 0 ) { void *ssl; - slap_ssf_t ssf; char *authid; c->c_needs_tls_accept = 0; /* we need to let SASL know */ ssl = (void *)ldap_pvt_tls_sb_handle( c->c_sb ); - ssf = (slap_ssf_t) ldap_pvt_tls_get_strength( ssl ); + + c->c_tls_ssf = (slap_ssf_t) ldap_pvt_tls_get_strength( ssl ); + if( c->c_tls_ssf > c->c_ssf ) { + c->c_ssf = c->c_tls_ssf; + } + authid = (char *)ldap_pvt_tls_get_peer( ssl ); - slap_sasl_external( c, ssf, authid ); + slap_sasl_external( c, c->c_tls_ssf, authid ); } connection_return( c ); ldap_pvt_thread_mutex_unlock( &connections_mutex ); @@ -1143,7 +1151,8 @@ static int connection_op_activate( Connection *conn, Operation *op ) arg->co_op->o_ndn = ch_strdup( arg->co_op->o_dn ); (void) dn_normalize( arg->co_op->o_ndn ); - arg->co_op->o_protocol = conn->c_protocol; + arg->co_op->o_protocol = conn->c_protocol + ? conn->c_protocol : LDAP_VERSION3; arg->co_op->o_connid = conn->c_connid; arg->co_op->o_authtype = conn->c_authtype; diff --git a/servers/slapd/delete.c b/servers/slapd/delete.c index d086e1fde1..d3bb5d96fa 100644 --- a/servers/slapd/delete.c +++ b/servers/slapd/delete.c @@ -79,8 +79,8 @@ do_delete( goto cleanup; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); @@ -93,14 +93,6 @@ do_delete( goto cleanup; } - if ( global_readonly || be->be_readonly ) { - Debug( LDAP_DEBUG_ANY, "do_delete: database is read-only\n", - 0, 0, 0 ); - send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, - NULL, "directory is read-only", NULL, NULL ); - goto cleanup; - } - /* deref suffix alias if appropriate */ ndn = suffix_alias( be, ndn ); diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c index 4aa04f3dfb..2999910f78 100644 --- a/servers/slapd/filter.c +++ b/servers/slapd/filter.c @@ -699,18 +699,11 @@ int filter_escape_value( out->bv_val = (char *) ch_malloc( ( in->bv_len * 3 ) + 1 ); out->bv_len = 0; -#undef NIBBLE -#undef ESCAPE_LO -#undef ESCAPE_HI -#define NIBBLE(c) ((c)&0x0f) -#define ESCAPE_LO(c) ( NIBBLE(c) + ( NIBBLE(c) < 10 ? '0' : 'A' - 10 ) ) -#define ESCAPE_HI(c) ( ESCAPE_LO((c)>>4) ) - for( i=0; i < in->bv_len ; i++ ) { if( FILTER_ESCAPE(in->bv_val[i]) ) { - out->bv_val[out->bv_len++] = '\\'; - out->bv_val[out->bv_len++] = ESCAPE_HI( in->bv_val[i] ); - out->bv_val[out->bv_len++] = ESCAPE_LO( in->bv_val[i] ); + out->bv_val[out->bv_len++] = SLAP_ESCAPE_CHAR; + out->bv_val[out->bv_len++] = SLAP_ESCAPE_HI( in->bv_val[i] ); + out->bv_val[out->bv_len++] = SLAP_ESCAPE_LO( in->bv_val[i] ); } else { out->bv_val[out->bv_len++] = in->bv_val[i]; } @@ -719,5 +712,3 @@ int filter_escape_value( out->bv_val[out->bv_len] = '\0'; return LDAP_SUCCESS; } - - diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c index 96f60159fb..a21ad0b2a6 100644 --- a/servers/slapd/modify.c +++ b/servers/slapd/modify.c @@ -169,8 +169,8 @@ do_modify( goto cleanup; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); @@ -183,14 +183,6 @@ do_modify( goto cleanup; } - if ( global_readonly || be->be_readonly ) { - Debug( LDAP_DEBUG_ANY, "do_modify: database is read-only\n", - 0, 0, 0 ); - send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, - NULL, "directory is read-only", NULL, NULL ); - goto cleanup; - } - /* deref suffix alias if appropriate */ ndn = suffix_alias( be, ndn ); diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c index b77e7d8f23..e5acfd1f83 100644 --- a/servers/slapd/modrdn.c +++ b/servers/slapd/modrdn.c @@ -165,8 +165,8 @@ do_modrdn( goto cleanup; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); @@ -179,14 +179,6 @@ do_modrdn( goto cleanup; } - if ( global_readonly || be->be_readonly ) { - Debug( LDAP_DEBUG_ANY, "do_modrdn: database is read-only\n", - 0, 0, 0 ); - send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, - NULL, "database is read-only", NULL, NULL ); - goto cleanup; - } - /* Make sure that the entry being changed and the newSuperior are in * the same backend, otherwise we return an error. */ diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c index 7580f7c661..547fb44c22 100644 --- a/servers/slapd/passwd.c +++ b/servers/slapd/passwd.c @@ -38,9 +38,8 @@ int passwd_extop( return LDAP_STRONG_AUTH_REQUIRED; } - if( conn->c_authz_backend != NULL && conn->c_authz_backend->be_extended ) - { - if( global_readonly || conn->c_authz_backend->be_readonly ) { + if( conn->c_authz_backend != NULL && conn->c_authz_backend->be_extended ) { + if( conn->c_authz_backend->be_restrictops & SLAP_RESTRICT_OP_MODIFY ) { *text = "authorization database is read only"; rc = LDAP_UNWILLING_TO_PERFORM; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index e54ed9aa56..2178bf67a9 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -159,10 +159,11 @@ LDAP_SLAPD_F (int) be_entry_release_rw LDAP_P(( Backend *be, Entry *e, int rw )) LDAP_SLAPD_F (int) backend_unbind LDAP_P((Connection *conn, Operation *op)); -LDAP_SLAPD_F( int ) backend_check_controls LDAP_P(( +LDAP_SLAPD_F( int ) backend_check_restrictions LDAP_P(( Backend *be, Connection *conn, Operation *op, + const char *extoid, const char **text )); LDAP_SLAPD_F( int ) backend_check_referrals LDAP_P(( @@ -751,6 +752,11 @@ LDAP_SLAPD_F (int) krbv4_ldap_auth(); * Other... */ +LDAP_SLAPD_F (slap_mask_t) global_restrictops; +LDAP_SLAPD_F (slap_mask_t) global_disallows; +LDAP_SLAPD_F (slap_mask_t) global_requires; +LDAP_SLAPD_F (slap_ssf_set_t) global_ssf_set; + LDAP_SLAPD_F (struct berval **) default_referral; LDAP_SLAPD_F (char *) replogfile; LDAP_SLAPD_F (const char) Versionstr[]; @@ -758,7 +764,6 @@ LDAP_SLAPD_F (int) defsize; LDAP_SLAPD_F (int) deftime; LDAP_SLAPD_F (int) g_argc; LDAP_SLAPD_F (slap_access_t) global_default_access; -LDAP_SLAPD_F (int) global_readonly; LDAP_SLAPD_F (int) global_lastmod; LDAP_SLAPD_F (int) global_idletimeout; LDAP_SLAPD_F (int) global_schemacheck; diff --git a/servers/slapd/search.c b/servers/slapd/search.c index 653fb886fa..92e36b0ab8 100644 --- a/servers/slapd/search.c +++ b/servers/slapd/search.c @@ -214,8 +214,8 @@ do_search( goto return_results; } - /* make sure this backend recongizes critical controls */ - rc = backend_check_controls( be, conn, op, &text ) ; + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index c43b882b54..6d196c4511 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -75,9 +75,15 @@ LDAP_BEGIN_DECL #define ASCII_ALPHA(c) ( ASCII_LOWER(c) || ASCII_UPPER(c) ) #define ASCII_DIGIT(c) ( (c) >= '0' && (c) <= '9' ) #define ASCII_ALNUM(c) ( ASCII_ALPHA(c) || ASCII_DIGIT(c) ) - #define ASCII_PRINTABLE(c) ( (c) >= ' ' && (c) <= '~' ) -#define FILTER_ESCAPE(c) ( (c) == '\\' || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) ) + +#define SLAP_NIBBLE(c) ((c)&0x0f) +#define SLAP_ESCAPE_CHAR ('\\') +#define SLAP_ESCAPE_LO(c) ( "0123456789ABCDEF"[SLAP_NIBBLE(c)] ) +#define SLAP_ESCAPE_HI(c) ( SLAP_ESCAPE_LO((c)>>4) ) + +#define FILTER_ESCAPE(c) ( (c) == '*' || (c) == '\\' \ + || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) ) #define DN_SEPARATOR(c) ((c) == ',' || (c) == ';') #define RDN_SEPARATOR(c) ((c) == ',' || (c) == ';' || (c) == '+') @@ -114,9 +120,21 @@ LDAP_BEGIN_DECL LDAP_SLAPD_F (int) slap_debug; -typedef unsigned slap_ssf_t; typedef unsigned long slap_mask_t; +/* Security Strength Factor */ +typedef unsigned slap_ssf_t; + +typedef struct slap_ssf_set { + slap_ssf_t sss_ssf; + slap_ssf_t sss_transport; + slap_ssf_t sss_tls; + slap_ssf_t sss_sasl; + slap_ssf_t sss_update_ssf; + slap_ssf_t sss_update_transport; + slap_ssf_t sss_update_tls; + slap_ssf_t sss_update_sasl; +} slap_ssf_set_t; /* * Index types @@ -620,6 +638,18 @@ typedef enum slap_style_e { ACL_STYLE_EXACT = ACL_STYLE_BASE } slap_style_t; +typedef struct slap_authz_info { + ber_tag_t sai_method; /* LDAP_AUTH_* from */ + char * sai_mech; /* SASL Mechanism */ + char * sai_dn; /* DN for reporting purposes */ + char * sai_ndn; /* Normalized DN */ + + /* Security Strength Factors */ + slap_ssf_t sai_ssf; /* Overall SSF */ + slap_ssf_t sai_transport_ssf; /* Transport SSF */ + slap_ssf_t sai_tls_ssf; /* TLS SSF */ + slap_ssf_t sai_sasl_ssf; /* SASL SSF */ +} AuthorizationInformation; /* the "by" part */ typedef struct slap_access { @@ -684,8 +714,10 @@ typedef struct slap_access { slap_mask_t a_access_mask; + AuthorizationInformation a_authz; +#define a_dn_pat a_authz.sai_dn + slap_style_t a_dn_style; - char *a_dn_pat; AttributeDescription *a_dn_at; int a_dn_self; @@ -803,6 +835,43 @@ struct slap_backend_db { #define be_sync bd_info->bi_tool_sync #endif + slap_mask_t be_restrictops; /* restriction operations */ +#define SLAP_RESTRICT_OP_ADD 0x0001U +#define SLAP_RESTRICT_OP_BIND 0x0002U +#define SLAP_RESTRICT_OP_COMPARE 0x0004U +#define SLAP_RESTRICT_OP_DELETE 0x0008U +#define SLAP_RESTRICT_OP_EXTENDED 0x0010U +#define SLAP_RESTRICT_OP_MODIFY 0x0020U +#define SLAP_RESTRICT_OP_RENAME 0x0040U +#define SLAP_RESTRICT_OP_SEARCH 0x0080U + +#define SLAP_RESTRICT_OP_READS \ + ( SLAP_RESTRICT_OP_COMPARE \ + | SLAP_RESTRICT_OP_SEARCH ) +#define SLAP_RESTRICT_OP_WRITES \ + ( SLAP_RESTRICT_OP_ADD \ + | SLAP_RESTRICT_OP_DELETE \ + | SLAP_RESTRICT_OP_MODIFY \ + | SLAP_RESTRICT_OP_RENAME ) + +#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ +#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */ +#define SLAP_DISALLOW_BIND_ANON_CRED \ + 0x0004U /* cred should be empty */ +#define SLAP_DISALLOW_BIND_ANON_DN \ + 0x0008U /* dn should be empty */ + + slap_mask_t be_requires; /* pre-operation requirements */ +#define SLAP_REQUIRE_BIND 0x0001U /* bind before op */ +#define SLAP_REQUIRE_LDAP_V3 0x0002U /* LDAPv3 before op */ +#define SLAP_REQUIRE_AUTHC 0x0004U /* authentication before op */ +#define SLAP_REQUIRE_SASL 0x0008U /* SASL before op */ +#define SLAP_REQUIRE_STRONG 0x0010U /* strong authentication before op */ + + + /* Required Security Strength Factor */ + slap_ssf_set_t be_ssf_set; + /* these should be renamed from be_ to bd_ */ char **be_suffix; /* the DN suffixes of data in this backend */ char **be_nsuffix; /* the normalized DN suffixes in this backend */ @@ -810,7 +879,6 @@ struct slap_backend_db { char *be_root_dn; /* the magic "root" dn for this db */ char *be_root_ndn; /* the magic "root" normalized dn for this db */ struct berval be_root_pw; /* the magic "root" password for this db */ - int be_readonly; /* 1 => db is in "read only" mode */ unsigned int be_max_deref_depth; /* limit for depth of an alias deref */ int be_sizelimit; /* size limit for this backend */ int be_timelimit; /* time limit for this backend */ @@ -981,22 +1049,22 @@ struct slap_backend_info { void *bi_private; /* anything the backend type needs */ }; -typedef struct slap_authz_info { - unsigned sai_ssf; /* Security Strength Factor */ - ber_tag_t sai_method; /* LDAP_AUTH_* from */ - char * sai_mech; /* SASL Mechanism */ - char * sai_dn; /* DN for reporting purposes */ - char * sai_ndn; /* Normalized DN */ -} AuthorizationInformation; - #define c_authtype c_authz.sai_method #define c_authmech c_authz.sai_mech #define c_dn c_authz.sai_dn +#define c_ssf c_authz.sai_ssf +#define c_transport_ssf c_authz.sai_transport_ssf +#define c_tls_ssf c_authz.sai_tls_ssf +#define c_sasl_ssf c_authz.sai_sasl_ssf #define o_authtype o_authz.sai_method #define o_authmech o_authz.sai_mech #define o_dn o_authz.sai_dn #define o_ndn o_authz.sai_ndn +#define o_ssf o_authz.sai_ssf +#define o_transport_ssf o_authz.sai_transport_ssf +#define o_tls_ssf o_authz.sai_tls_ssf +#define o_sasl_ssf o_authz.sai_sasl_ssf /* * represents an operation pending from an ldap client -- 2.39.5