diff options
author | Nathan Kinder <nkinder@redhat.com> | 2009-09-30 09:33:29 -0700 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2009-09-30 11:55:25 -0700 |
commit | ab6e5a77de769f55d55e70d7754ec732385e7067 (patch) | |
tree | 1dc7e8455aea314347bdb5fa85d353014019a0b3 /ldap/servers/slapd/slap.h | |
parent | 7cd8196f272d1cfacb767e2d4e6b04db325cae5c (diff) | |
download | ds-ab6e5a77de769f55d55e70d7754ec732385e7067.tar.gz ds-ab6e5a77de769f55d55e70d7754ec732385e7067.tar.xz ds-ab6e5a77de769f55d55e70d7754ec732385e7067.zip |
Add minimum SSF setting
This adds a new configuration setting to the cn=config entry named
nsslapd-minssf. This can be set to a non-negative integer representing
the minimum key strength required to process operations. The default
setting will be 0.
The SSF for a particular connection will be determined by the key
strength cipher used to protect the connection. If the SSF used for a
connection does not meet the minimum requirement, the operation will be
rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along
with a message stating that the minimum SSF was not met. Notable
exceptions to this are operations that attempt to protect a connection.
These operations are:
* SASL BIND
* startTLS
These operations will be allowed to occur on a connection with a SSF
less than the minimum. If the results of these operations end up with
a SSF smaller than the minimum, they will be rejected. Additionally,
we allow UNBIND and ABANDON operations to go through.
I also corrected a few issues with the anonymous access switch code
that I noticed while testing. We need to allow the startTLS extended
operation to go through when sent by an anonymous user since it is
common to send startTLS prior to a BIND to protect the credentials.
I also noticed that we were using the authtype from the operation
struct to determine is a user was anonymous when we really should
have been using the DN. This was causing anonymous operations to
get through on SSL/TLS connections.
Diffstat (limited to 'ldap/servers/slapd/slap.h')
-rw-r--r-- | ldap/servers/slapd/slap.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index ba65781c..01848172 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -279,6 +279,7 @@ typedef void (*VFP0)(void); #define SLAPD_DEFAULT_MAX_THREADS 30 /* connection pool threads */ #define SLAPD_DEFAULT_MAX_THREADS_PER_CONN 5 /* allowed per connection */ #define SLAPD_DEFAULT_SCHEMA_IGNORE_TRAILING_SPACES LDAP_OFF +#define SLAPD_DEFAULT_MIN_SSF 0 /* allow unsecured connections (no privacy or integrity) */ /* We'd like this number to be prime for the hash into the Connection table */ @@ -1277,6 +1278,7 @@ typedef struct conn { void *c_extension; /* plugins are able to extend the Connection object */ void *c_sasl_conn; /* sasl library connection sasl_conn_t */ int c_sasl_ssf; /* flag to tell us the SASL SSF */ + int c_ssl_ssf; /* flag to tell us the SSL/TLS SSF */ int c_unix_local; /* flag true for LDAPI */ int c_local_valid; /* flag true if the uid/gid are valid */ uid_t c_local_uid; /* uid of connecting process */ @@ -1723,6 +1725,7 @@ typedef struct _slapdEntryPoints { #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds" #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds" #define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access" +#define CONFIG_MINSSF_ATTRIBUTE "nsslapd-minssf" #ifndef _WIN32 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser" #endif /* !_WIN32 */ @@ -2018,6 +2021,7 @@ typedef struct _slapdFrontendConfig { int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */ int require_secure_binds; /* switch to require simple binds to use a secure channel */ int allow_anon_access; /* switch to enable/disable anonymous access */ + int minssf; /* minimum security strength factor (for SASL and SSL/TLS) */ size_t maxsasliosize; /* limit incoming SASL IO packet size */ #ifndef _WIN32 struct passwd *localuserinfo; /* userinfo of localuser */ |