Allow anonymous access to be disabled.

This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access.  When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user.  The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.

I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.

1 files changed, 2 insertions, 0 deletions

diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index ceb46b2c..ba65781c 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1722,6 +1722,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
 #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
 #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
+#define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access"
 #ifndef _WIN32
 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
 #endif /* !_WIN32 */
@@ -2016,6 +2017,7 @@ typedef struct _slapdFrontendConfig {
   int slapi_counters;           /* switch to turn slapi_counters on/off */
   int allow_unauth_binds;       /* switch to enable/disable unauthenticated binds */
   int require_secure_binds;	/* switch to require simple binds to use a secure channel */
+  int allow_anon_access;	/* switch to enable/disable anonymous access */
   size_t maxsasliosize;         /* limit incoming SASL IO packet size */
 #ifndef _WIN32
   struct passwd *localuserinfo; /* userinfo of localuser */