diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2009-05-29 08:38:35 -0700 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2009-05-29 09:00:35 -0700 |
| commit | 4d32ce1809dfead6697404edaff066608c4bad9d (patch) | |
| tree | 613ad3e9010bffb1f9e5d03ce4aadc921c335b43 /ldap/servers/slapd/libglobs.c | |
| parent | 67aca96ae2c53f74f896439840a82cbccbeb34cf (diff) | |
| download | ds-4d32ce1809dfead6697404edaff066608c4bad9d.tar.gz ds-4d32ce1809dfead6697404edaff066608c4bad9d.tar.xz ds-4d32ce1809dfead6697404edaff066608c4bad9d.zip | |
Add require secure binds switch.
This adds a new configuration attribute named
nsslapd-require-secure-binds. When enabled, a simple bind
will only be allowed over a secure transport (SSL/TLS or a
SASL privacy layer). An attempt to do a simple bind over
an insecure transport will return a LDAP result of
LDAP_CONFIDENTIALITY_REQUIRED. This new setting will not
affect anonymous or unauthenticated binds.
The default setting is to have this option disabled.
Diffstat (limited to 'ldap/servers/slapd/libglobs.c')
| -rw-r--r-- | ldap/servers/slapd/libglobs.c | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index 1155c8c7..358a745a 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -606,7 +606,11 @@ static struct config_get_and_set { {CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch, NULL, 0, (void**)&global_slapdFrontendConfig.allow_unauth_binds, CONFIG_ON_OFF, - (ConfigGetFunc)config_get_unauth_binds_switch} + (ConfigGetFunc)config_get_unauth_binds_switch}, + {CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE, config_set_require_secure_binds, + NULL, 0, + (void**)&global_slapdFrontendConfig.require_secure_binds, CONFIG_ON_OFF, + (ConfigGetFunc)config_get_require_secure_binds} #ifdef MEMPOOL_EXPERIMENTAL ,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch, NULL, 0, @@ -857,6 +861,7 @@ FrontendConfig_init () { cfg->ldapi_auto_dn_suffix = slapi_ch_strdup("cn=peercred,cn=external,cn=auth"); #endif cfg->allow_unauth_binds = LDAP_OFF; + cfg->require_secure_binds = LDAP_OFF; cfg->slapi_counters = LDAP_ON; cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS; cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN; @@ -4544,6 +4549,19 @@ config_get_unauth_binds_switch(void) } +int +config_get_require_secure_binds(void) +{ + int retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->require_secure_binds; + CFG_UNLOCK_READ(slapdFrontendConfig); + +return retVal; +} + + int config_is_slapd_lite () { @@ -5310,6 +5328,22 @@ config_set_unauth_binds_switch( const char *attrname, char *value, return retVal; } +int +config_set_require_secure_binds( const char *attrname, char *value, + char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + retVal = config_set_onoff(attrname, + value, + &(slapdFrontendConfig->require_secure_binds), + errorbuf, + apply); + + return retVal; +} + /* * This function is intended to be used from the dse code modify callback. It |