From ab6e5a77de769f55d55e70d7754ec732385e7067 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Wed, 30 Sep 2009 09:33:29 -0700
Subject: Add minimum SSF setting

This adds a new configuration setting to the cn=config entry named
nsslapd-minssf. This can be set to a non-negative integer representing
the minimum key strength required to process operations. The default
setting will be 0.

The SSF for a particular connection will be determined by the key
strength cipher used to protect the connection. If the SSF used for a
connection does not meet the minimum requirement, the operation will be
rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along
with a message stating that the minimum SSF was not met. Notable
exceptions to this are operations that attempt to protect a connection.
These operations are:

    * SASL BIND
    * startTLS

These operations will be allowed to occur on a connection with a SSF
less than the minimum. If the results of these operations end up with
a SSF smaller than the minimum, they will be rejected.  Additionally,
we allow UNBIND and ABANDON operations to go through.

I also corrected a few issues with the anonymous access switch code
that I noticed while testing.  We need to allow the startTLS extended
operation to go through when sent by an anonymous user since it is
common to send startTLS prior to a BIND to protect the credentials.
I also noticed that we were using the authtype from the operation
struct to determine is a user was anonymous when we really should
have been using the DN.  This was causing anonymous operations to
get through on SSL/TLS connections.
---
 ldap/admin/src/scripts/DSMigration.pm.in | 1 +
 1 file changed, 1 insertion(+)

(limited to 'ldap/admin/src/scripts')

diff --git a/ldap/admin/src/scripts/DSMigration.pm.in b/ldap/admin/src/scripts/DSMigration.pm.in
index 64e066b7..2f5641c6 100644
--- a/ldap/admin/src/scripts/DSMigration.pm.in
+++ b/ldap/admin/src/scripts/DSMigration.pm.in
@@ -102,6 +102,7 @@ my %ignoreOld =
 # these are new attrs that we should just pass through
  'nsslapd-allow-unauthenticated-binds' => 'nsslapd-allow-unauthenticated-binds',
  'nsslapd-allow-anonymous-access'  => 'nsslapd-allow-anonymous-access',
+ 'nsslapd-minssf'                  => 'nsslapd-minssf',
  'nsslapd-saslpath'                => 'nsslapd-saslpath',
  'nsslapd-rundir'                  => 'nsslapd-rundir',
  'nsslapd-schemadir'               => 'nsslapd-schemadir',
-- 
cgit