Add require secure binds switch.

This adds a new configuration attribute named
nsslapd-require-secure-binds.  When enabled, a simple bind
will only be allowed over a secure transport (SSL/TLS or a
SASL privacy layer).  An attempt to do a simple bind over
an insecure transport will return a LDAP result of
LDAP_CONFIDENTIALITY_REQUIRED.  This new setting will not
affect anonymous or unauthenticated binds.

The default setting is to have this option disabled.

1 files changed, 2 insertions, 0 deletions

diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index f0d21910..ffcba46c 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1715,6 +1715,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_USERAT_ATTRIBUTE "nsslapd-userat"
 #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
 #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
+#define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
 #ifndef _WIN32
 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
 #endif /* !_WIN32 */
@@ -2008,6 +2009,7 @@ typedef struct _slapdFrontendConfig {
   char *ldapi_auto_dn_suffix;   /* suffix to be appended to auto gen DNs */
   int slapi_counters;           /* switch to turn slapi_counters on/off */
   int allow_unauth_binds;       /* switch to enable/disable unauthenticated binds */
+  int require_secure_binds;	/* switch to require simple binds to use a secure channel */
   size_t maxsasliosize;         /* limit incoming SASL IO packet size */
 #ifndef _WIN32
   struct passwd *localuserinfo; /* userinfo of localuser */