diff options
author | Nathan Kinder <nkinder@redhat.com> | 2009-09-30 09:33:29 -0700 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2009-09-30 11:55:25 -0700 |
commit | ab6e5a77de769f55d55e70d7754ec732385e7067 (patch) | |
tree | 1dc7e8455aea314347bdb5fa85d353014019a0b3 /ldap/servers/slapd/extendop.c | |
parent | 7cd8196f272d1cfacb767e2d4e6b04db325cae5c (diff) | |
download | ds-ab6e5a77de769f55d55e70d7754ec732385e7067.tar.gz ds-ab6e5a77de769f55d55e70d7754ec732385e7067.tar.xz ds-ab6e5a77de769f55d55e70d7754ec732385e7067.zip |
Add minimum SSF setting
This adds a new configuration setting to the cn=config entry named
nsslapd-minssf. This can be set to a non-negative integer representing
the minimum key strength required to process operations. The default
setting will be 0.
The SSF for a particular connection will be determined by the key
strength cipher used to protect the connection. If the SSF used for a
connection does not meet the minimum requirement, the operation will be
rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along
with a message stating that the minimum SSF was not met. Notable
exceptions to this are operations that attempt to protect a connection.
These operations are:
* SASL BIND
* startTLS
These operations will be allowed to occur on a connection with a SSF
less than the minimum. If the results of these operations end up with
a SSF smaller than the minimum, they will be rejected. Additionally,
we allow UNBIND and ABANDON operations to go through.
I also corrected a few issues with the anonymous access switch code
that I noticed while testing. We need to allow the startTLS extended
operation to go through when sent by an anonymous user since it is
common to send startTLS prior to a BIND to protect the credentials.
I also noticed that we were using the authtype from the operation
struct to determine is a user was anonymous when we really should
have been using the DN. This was causing anonymous operations to
get through on SSL/TLS connections.
Diffstat (limited to 'ldap/servers/slapd/extendop.c')
-rw-r--r-- | ldap/servers/slapd/extendop.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c index d3e6d5a2..003c2ab8 100644 --- a/ldap/servers/slapd/extendop.c +++ b/ldap/servers/slapd/extendop.c @@ -295,6 +295,26 @@ do_extended( Slapi_PBlock *pb ) goto free_and_return; } + if (strcmp(extoid, START_TLS_OID) != 0) { + int minssf = config_get_minssf(); + + /* If anonymous access is disabled and we haven't + * authenticated yet, only allow startTLS. */ + if (!config_get_anon_access_switch() && ((pb->pb_op->o_authtype == NULL) || + (strcasecmp(pb->pb_op->o_authtype, SLAPD_AUTH_NONE) == 0))) { + send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL, + "Anonymous access is not allowed.", 0, NULL ); + goto free_and_return; + } + + /* If the minssf is not met, only allow startTLS. */ + if ((pb->pb_conn->c_sasl_ssf < minssf) && (pb->pb_conn->c_ssl_ssf < minssf)) { + send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, + "Minimum SSF not met.", 0, NULL ); + goto free_and_return; + } + } + /* If a password change is required, only allow the password * modify extended operation */ if (!pb->pb_conn->c_isreplication_session && |