Allow anonymous access to be disabled.

This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access.  When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user.  The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.

I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.

5 files changed, 72 insertions, 4 deletions

diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 359252f4..bf54d3ca 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -424,10 +424,19 @@ do_bind( Slapi_PBlock *pb )
         /* accept null binds */
         if (dn == NULL || *dn == '\0') {
             slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsAnonymousBinds);
-            /* by definition its anonymous is also UnAuthenticated so increment 
+            /* by definition anonymous is also unauthenticated so increment 
                that counter */
             slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
 
+            /* Refuse the operation if anonymous access is disabled. */
+            if (!config_get_anon_access_switch()) {
+                send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+                                 "Anonymous access is not allowed", 0, NULL);
+                /* increment BindSecurityErrorcount */
+                slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+                goto free_and_return;
+            }
+
             /* call preop plugins */
             if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){
                 if ( auth_response_requested ) {
@@ -444,6 +453,15 @@ do_bind( Slapi_PBlock *pb )
             /* Increment unauthenticated bind counter */
             slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
 
+            /* Refuse the operation if anonymous access is disabled. */
+            if (!config_get_anon_access_switch()) {
+                send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+                                 "Anonymous access is not allowed", 0, NULL);
+                /* increment BindSecurityErrorcount */
+                slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+                goto free_and_return;
+            }
+
             /* Refuse the operation if unauthenticated binds are disabled. */
             if (!config_get_unauth_binds_switch()) {
                 /* As stated in RFC 4513, a server SHOULD by default fail
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index 8b1e2e5a..4dd81f97 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -480,8 +480,21 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb)
 	/* Copy the Connection DN into the operation struct */
 	op_copy_identity( conn, op );
 
-	/* process the operation */
+	/* If anonymous access is disabled and the connection is
+	 * not authenticated, only allow the BIND operation. */
+	if (!config_get_anon_access_switch() && (op->o_tag != LDAP_REQ_BIND) &&
+            ((op->o_authtype == NULL) || (strcasecmp(op->o_authtype, SLAPD_AUTH_NONE) == 0))) {
+		slapi_log_access( LDAP_DEBUG_STATS,
+			"conn=%" NSPRIu64 " op=%d UNPROCESSED OPERATION\n",
+            		conn->c_connid, op->o_opid );
+
+		send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+                                  "Anonymous access is not allowed.",
+                                  0, NULL );
+		return;
+	}
 
+	/* process the operation */
 	switch ( op->o_tag ) {
 	case LDAP_REQ_BIND:
 		operation_set_type(op,SLAPI_OPERATION_BIND);
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 3d203534..5eb1afd5 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -609,7 +609,11 @@ static struct config_get_and_set {
 	{CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE, config_set_require_secure_binds,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.require_secure_binds, CONFIG_ON_OFF,
-		(ConfigGetFunc)config_get_require_secure_binds}
+		(ConfigGetFunc)config_get_require_secure_binds},
+	{CONFIG_ANON_ACCESS_ATTRIBUTE, config_set_anon_access_switch,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.allow_anon_access, CONFIG_ON_OFF,
+		(ConfigGetFunc)config_get_anon_access_switch}
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -861,6 +865,7 @@ FrontendConfig_init () {
 #endif
   cfg->allow_unauth_binds = LDAP_OFF;
   cfg->require_secure_binds = LDAP_OFF;
+  cfg->allow_anon_access = LDAP_ON;
   cfg->slapi_counters = LDAP_ON;
   cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
   cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
@@ -4557,7 +4562,19 @@ config_get_require_secure_binds(void)
 	retVal = slapdFrontendConfig->require_secure_binds;
 	CFG_UNLOCK_READ(slapdFrontendConfig);
 
-return retVal;
+	return retVal;
+}
+
+int
+config_get_anon_access_switch(void)
+{
+	int retVal;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+	CFG_LOCK_READ(slapdFrontendConfig);
+	retVal = slapdFrontendConfig->allow_anon_access;
+	CFG_UNLOCK_READ(slapdFrontendConfig);
+
+	return retVal;
 }
 
 int
@@ -5336,6 +5353,22 @@ config_set_require_secure_binds( const char *attrname, char *value,
 	return retVal;
 }
 
+int
+config_set_anon_access_switch( const char *attrname, char *value,
+		char *errorbuf, int apply )
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->allow_anon_access),
+		errorbuf,
+		apply);
+
+	return retVal;
+}
+
 
 /*
  * This function is intended to be used from the dse code modify callback.  It
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 4b1bbdf7..c408f690 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -344,6 +344,7 @@ int config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
 		char *errorbuf, int apply );
 int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_require_secure_binds(const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_anon_access_switch(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
 
@@ -473,6 +474,7 @@ int config_get_rewrite_rfc1274();
 int config_get_outbound_ldap_io_timeout(void);
 int config_get_unauth_binds_switch(void);
 int config_get_require_secure_binds(void);
+int config_get_anon_access_switch(void);
 int config_get_csnlogging();
 #ifdef MEMPOOL_EXPERIMENTAL
 int config_get_mempool_switch();
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index ceb46b2c..ba65781c 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1722,6 +1722,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
 #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
 #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
+#define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access"
 #ifndef _WIN32
 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
 #endif /* !_WIN32 */
@@ -2016,6 +2017,7 @@ typedef struct _slapdFrontendConfig {
   int slapi_counters;           /* switch to turn slapi_counters on/off */
   int allow_unauth_binds;       /* switch to enable/disable unauthenticated binds */
   int require_secure_binds;	/* switch to require simple binds to use a secure channel */
+  int allow_anon_access;	/* switch to enable/disable anonymous access */
   size_t maxsasliosize;         /* limit incoming SASL IO packet size */
 #ifndef _WIN32
   struct passwd *localuserinfo; /* userinfo of localuser */