diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2009-05-29 08:38:35 -0700 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2009-05-29 09:00:35 -0700 |
| commit | 4d32ce1809dfead6697404edaff066608c4bad9d (patch) | |
| tree | 613ad3e9010bffb1f9e5d03ce4aadc921c335b43 | |
| parent | 67aca96ae2c53f74f896439840a82cbccbeb34cf (diff) | |
| download | ds-4d32ce1809dfead6697404edaff066608c4bad9d.tar.gz ds-4d32ce1809dfead6697404edaff066608c4bad9d.tar.xz ds-4d32ce1809dfead6697404edaff066608c4bad9d.zip | |
Add require secure binds switch.
This adds a new configuration attribute named
nsslapd-require-secure-binds. When enabled, a simple bind
will only be allowed over a secure transport (SSL/TLS or a
SASL privacy layer). An attempt to do a simple bind over
an insecure transport will return a LDAP result of
LDAP_CONFIDENTIALITY_REQUIRED. This new setting will not
affect anonymous or unauthenticated binds.
The default setting is to have this option disabled.
| -rw-r--r-- | ldap/ldif/template-dse.ldif.in | 1 | ||||
| -rw-r--r-- | ldap/servers/slapd/bind.c | 24 | ||||
| -rw-r--r-- | ldap/servers/slapd/libglobs.c | 36 | ||||
| -rw-r--r-- | ldap/servers/slapd/proto-slap.h | 2 | ||||
| -rw-r--r-- | ldap/servers/slapd/slap.h | 2 |
5 files changed, 64 insertions, 1 deletions
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in index 54a9c4f4..82326d55 100644 --- a/ldap/ldif/template-dse.ldif.in +++ b/ldap/ldif/template-dse.ldif.in @@ -30,6 +30,7 @@ nsslapd-rewrite-rfc1274: off nsslapd-return-exact-case: on nsslapd-ssl-check-hostname: on nsslapd-allow-unauthenticated-binds: off +nsslapd-require-secure-binds: off nsslapd-port: %ds_port% nsslapd-localuser: %ds_user% nsslapd-errorlog-logging-enabled: on diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index fbf9a19b..359252f4 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -439,6 +439,7 @@ do_bind( Slapi_PBlock *pb ) plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN ); } goto free_and_return; + /* Check if unauthenticated binds are allowed. */ } else if ( cred.bv_len == 0 ) { /* Increment unauthenticated bind counter */ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds); @@ -454,6 +455,29 @@ do_bind( Slapi_PBlock *pb ) slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); goto free_and_return; } + /* Check if simple binds are allowed over an insecure channel. We only check + * this for authenticated binds. */ + } else if (config_get_require_secure_binds() == 1) { + Connection *conn = NULL; + int sasl_ssf = 0; + + /* Allow simple binds only for SSL/TLS established connections + * or connections using SASL privacy layers */ + conn = pb->pb_conn; + if ( slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { + slapi_log_error( SLAPI_LOG_PLUGIN, "do_bind", + "Could not get SASL SSF from connection\n" ); + sasl_ssf = 0; + } + + if (((conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) && + (sasl_ssf <= 1) ) { + send_ldap_result(pb, LDAP_CONFIDENTIALITY_REQUIRED, NULL, + "Operation requires a secure connection", + 0, NULL); + slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); + goto free_and_return; + } } break; default: diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index 1155c8c7..358a745a 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -606,7 +606,11 @@ static struct config_get_and_set { {CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch, NULL, 0, (void**)&global_slapdFrontendConfig.allow_unauth_binds, CONFIG_ON_OFF, - (ConfigGetFunc)config_get_unauth_binds_switch} + (ConfigGetFunc)config_get_unauth_binds_switch}, + {CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE, config_set_require_secure_binds, + NULL, 0, + (void**)&global_slapdFrontendConfig.require_secure_binds, CONFIG_ON_OFF, + (ConfigGetFunc)config_get_require_secure_binds} #ifdef MEMPOOL_EXPERIMENTAL ,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch, NULL, 0, @@ -857,6 +861,7 @@ FrontendConfig_init () { cfg->ldapi_auto_dn_suffix = slapi_ch_strdup("cn=peercred,cn=external,cn=auth"); #endif cfg->allow_unauth_binds = LDAP_OFF; + cfg->require_secure_binds = LDAP_OFF; cfg->slapi_counters = LDAP_ON; cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS; cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN; @@ -4544,6 +4549,19 @@ config_get_unauth_binds_switch(void) } +int +config_get_require_secure_binds(void) +{ + int retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->require_secure_binds; + CFG_UNLOCK_READ(slapdFrontendConfig); + +return retVal; +} + + int config_is_slapd_lite () { @@ -5310,6 +5328,22 @@ config_set_unauth_binds_switch( const char *attrname, char *value, return retVal; } +int +config_set_require_secure_binds( const char *attrname, char *value, + char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + retVal = config_set_onoff(attrname, + value, + &(slapdFrontendConfig->require_secure_binds), + errorbuf, + apply); + + return retVal; +} + /* * This function is intended to be used from the dse code modify callback. It diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 41c80b59..6c7426e2 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -343,6 +343,7 @@ int config_set_rewrite_rfc1274( const char *attrname, char *value, char *errorbu int config_set_outbound_ldap_io_timeout( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_require_secure_binds(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply); int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply); @@ -471,6 +472,7 @@ int config_get_hash_filters(); int config_get_rewrite_rfc1274(); int config_get_outbound_ldap_io_timeout(void); int config_get_unauth_binds_switch(void); +int config_get_require_secure_binds(void); int config_get_csnlogging(); #ifdef MEMPOOL_EXPERIMENTAL int config_get_mempool_switch(); diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index f0d21910..ffcba46c 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -1715,6 +1715,7 @@ typedef struct _slapdEntryPoints { #define CONFIG_USERAT_ATTRIBUTE "nsslapd-userat" #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab" #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds" +#define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds" #ifndef _WIN32 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser" #endif /* !_WIN32 */ @@ -2008,6 +2009,7 @@ typedef struct _slapdFrontendConfig { char *ldapi_auto_dn_suffix; /* suffix to be appended to auto gen DNs */ int slapi_counters; /* switch to turn slapi_counters on/off */ int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */ + int require_secure_binds; /* switch to require simple binds to use a secure channel */ size_t maxsasliosize; /* limit incoming SASL IO packet size */ #ifndef _WIN32 struct passwd *localuserinfo; /* userinfo of localuser */ |