Resolves: 316241

Summary: Add config setting to disable unauthenticated binds.

4 files changed, 61 insertions, 13 deletions

diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 152ab791..f52830f7 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -259,9 +259,6 @@ do_bind( Slapi_PBlock *pb )
 
     PR_Lock( pb->pb_conn->c_mutex );
 
-    /* According to RFC2251,
-     * "if the bind fails, the connection will be treated as anonymous".
-     */
     bind_credentials_clear( pb->pb_conn, PR_FALSE, /* do not lock conn */
                             PR_FALSE /* do not clear external creds. */ );
 
@@ -442,6 +439,21 @@ do_bind( Slapi_PBlock *pb )
                 plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
             }
             goto free_and_return;
+        } else if ( cred.bv_len == 0 ) {
+            /* Increment unauthenticated bind counter */
+            slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
+
+            /* Refuse the operation if unauthenticated binds are disabled. */
+            if (!config_get_unauth_binds_switch()) {
+                /* As stated in RFC 4513, a server SHOULD by default fail
+                 * Unauthenticated Bind requests with a resultCode of
+                 * unwillingToPerform. */
+                send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+                                 "Unauthenticated binds are not allowed", 0, NULL);
+                /* increment BindSecurityErrorcount */
+                slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+                goto free_and_return;
+            }
         }
         break;
     default:
@@ -453,26 +465,22 @@ do_bind( Slapi_PBlock *pb )
      */
 
     if ( isroot && method == LDAP_AUTH_SIMPLE ) {
-        if ( cred.bv_len == 0 ) {
-            /* unauthenticated bind */
-            slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
-
-        } else {
+        if (cred.bv_len != 0) {
             /* a passwd was supplied -- check it */
             Slapi_Value cv;
             slapi_value_init_berval(&cv,&cred);
 
+            /* right dn and passwd - authorize */
             if ( is_root_dn_pw( slapi_sdn_get_ndn(&sdn), &cv )) {
-				/* right dn and passwd - authorize */
                 bind_credentials_set( pb->pb_conn, SLAPD_AUTH_SIMPLE,
                                       slapi_ch_strdup( slapi_sdn_get_ndn(&sdn) ),
                                       NULL, NULL, NULL , NULL);
 
-                /* right dn, wrong passwd - reject with invalid creds */
+            /* right dn, wrong passwd - reject with invalid creds */
             } else {
                 send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL,
                                   NULL, 0, NULL );
-				/* increment BindSecurityErrorcount */
+                /* increment BindSecurityErrorcount */
                 slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
                 value_done(&cv);
                 goto free_and_return;
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 9c58d06e..8c84f99f 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -491,7 +491,7 @@ static struct config_get_and_set {
 	{CONFIG_SLAPI_COUNTER_ATTRIBUTE, config_set_slapi_counters,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.slapi_counters, CONFIG_ON_OFF, 
-		config_get_slapi_counters},
+		(ConfigGetFunc)config_get_slapi_counters},
 	{CONFIG_ACCESSLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,
 		log_set_mindiskspace, SLAPD_ACCESS_LOG,
 		(void**)&global_slapdFrontendConfig.accesslog_minfreespace, CONFIG_INT, NULL},
@@ -590,7 +590,11 @@ static struct config_get_and_set {
 		config_set_outbound_ldap_io_timeout,
 		NULL, 0,
 		(void **)&global_slapdFrontendConfig.outbound_ldap_io_timeout,
-		CONFIG_INT, NULL}
+		CONFIG_INT, NULL},
+	{CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.allow_unauth_binds, CONFIG_ON_OFF,
+		(ConfigGetFunc)config_get_unauth_binds_switch}
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -840,6 +844,7 @@ FrontendConfig_init () {
 #if defined(ENABLE_AUTO_DN_SUFFIX)
   cfg->ldapi_auto_dn_suffix = slapi_ch_strdup("cn=peercred,cn=external,cn=auth");
 #endif
+  cfg->allow_unauth_binds = LDAP_OFF;
   cfg->slapi_counters = LDAP_ON;
   cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
   cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
@@ -4427,6 +4432,20 @@ config_get_outbound_ldap_io_timeout(void)
 	return retVal; 
 }
 
+
+int
+config_get_unauth_binds_switch(void)
+{
+	int retVal;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+	CFG_LOCK_READ(slapdFrontendConfig);
+	retVal = slapdFrontendConfig->allow_unauth_binds;
+	CFG_UNLOCK_READ(slapdFrontendConfig);
+
+	return retVal;
+}
+
+
 int 
 config_is_slapd_lite ()
 {
@@ -5124,6 +5143,23 @@ config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
 }
 
 
+int
+config_set_unauth_binds_switch( const char *attrname, char *value,
+		char *errorbuf, int apply )
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->allow_unauth_binds),
+		errorbuf,
+		apply);
+
+	return retVal;
+}
+
+
 /*
  * This function is intended to be used from the dse code modify callback.  It
  * is "optimized" for that case because it takes a berval** of values, which is
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 61a5fe85..12b0e431 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -338,6 +338,7 @@ int config_set_hash_filters( const char *attrname, char *value, char *errorbuf,
 int config_set_rewrite_rfc1274( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
 		char *errorbuf, int apply );
+int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
 
@@ -461,6 +462,7 @@ int config_get_attrname_exceptions();
 int config_get_hash_filters();
 int config_get_rewrite_rfc1274();
 int config_get_outbound_ldap_io_timeout(void);
+int config_get_unauth_binds_switch(void);
 int config_get_csnlogging();
 #ifdef MEMPOOL_EXPERIMENTAL
 int config_get_mempool_switch();
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 38025aae..22451425 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1693,6 +1693,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_USEROC_ATTRIBUTE "nsslapd-useroc"
 #define CONFIG_USERAT_ATTRIBUTE "nsslapd-userat"
 #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
+#define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
 #ifndef _WIN32
 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
 #endif /* !_WIN32 */
@@ -1981,6 +1982,7 @@ typedef struct _slapdFrontendConfig {
   char *ldapi_search_base_dn;   /* base dn to search for mapped entries */
   char *ldapi_auto_dn_suffix;   /* suffix to be appended to auto gen DNs */
   int slapi_counters;            /* switch to turn slapi_counters on/off */
+  int allow_unauth_binds;        /* switch to enable/disable unauthenticated binds */
 #ifndef _WIN32
   struct passwd *localuserinfo; /* userinfo of localuser */
 #endif /* _WIN32 */