diff options
Diffstat (limited to 'ldap/servers/slapd')
-rw-r--r-- | ldap/servers/slapd/bind.c | 20 | ||||
-rw-r--r-- | ldap/servers/slapd/connection.c | 15 | ||||
-rw-r--r-- | ldap/servers/slapd/libglobs.c | 37 | ||||
-rw-r--r-- | ldap/servers/slapd/proto-slap.h | 2 | ||||
-rw-r--r-- | ldap/servers/slapd/slap.h | 2 |
5 files changed, 72 insertions, 4 deletions
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index 359252f4..bf54d3ca 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -424,10 +424,19 @@ do_bind( Slapi_PBlock *pb ) /* accept null binds */ if (dn == NULL || *dn == '\0') { slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsAnonymousBinds); - /* by definition its anonymous is also UnAuthenticated so increment + /* by definition anonymous is also unauthenticated so increment that counter */ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds); + /* Refuse the operation if anonymous access is disabled. */ + if (!config_get_anon_access_switch()) { + send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, + "Anonymous access is not allowed", 0, NULL); + /* increment BindSecurityErrorcount */ + slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); + goto free_and_return; + } + /* call preop plugins */ if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){ if ( auth_response_requested ) { @@ -444,6 +453,15 @@ do_bind( Slapi_PBlock *pb ) /* Increment unauthenticated bind counter */ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds); + /* Refuse the operation if anonymous access is disabled. */ + if (!config_get_anon_access_switch()) { + send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, + "Anonymous access is not allowed", 0, NULL); + /* increment BindSecurityErrorcount */ + slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); + goto free_and_return; + } + /* Refuse the operation if unauthenticated binds are disabled. */ if (!config_get_unauth_binds_switch()) { /* As stated in RFC 4513, a server SHOULD by default fail diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c index 8b1e2e5a..4dd81f97 100644 --- a/ldap/servers/slapd/connection.c +++ b/ldap/servers/slapd/connection.c @@ -480,8 +480,21 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb) /* Copy the Connection DN into the operation struct */ op_copy_identity( conn, op ); - /* process the operation */ + /* If anonymous access is disabled and the connection is + * not authenticated, only allow the BIND operation. */ + if (!config_get_anon_access_switch() && (op->o_tag != LDAP_REQ_BIND) && + ((op->o_authtype == NULL) || (strcasecmp(op->o_authtype, SLAPD_AUTH_NONE) == 0))) { + slapi_log_access( LDAP_DEBUG_STATS, + "conn=%" NSPRIu64 " op=%d UNPROCESSED OPERATION\n", + conn->c_connid, op->o_opid ); + + send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL, + "Anonymous access is not allowed.", + 0, NULL ); + return; + } + /* process the operation */ switch ( op->o_tag ) { case LDAP_REQ_BIND: operation_set_type(op,SLAPI_OPERATION_BIND); diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index 3d203534..5eb1afd5 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -609,7 +609,11 @@ static struct config_get_and_set { {CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE, config_set_require_secure_binds, NULL, 0, (void**)&global_slapdFrontendConfig.require_secure_binds, CONFIG_ON_OFF, - (ConfigGetFunc)config_get_require_secure_binds} + (ConfigGetFunc)config_get_require_secure_binds}, + {CONFIG_ANON_ACCESS_ATTRIBUTE, config_set_anon_access_switch, + NULL, 0, + (void**)&global_slapdFrontendConfig.allow_anon_access, CONFIG_ON_OFF, + (ConfigGetFunc)config_get_anon_access_switch} #ifdef MEMPOOL_EXPERIMENTAL ,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch, NULL, 0, @@ -861,6 +865,7 @@ FrontendConfig_init () { #endif cfg->allow_unauth_binds = LDAP_OFF; cfg->require_secure_binds = LDAP_OFF; + cfg->allow_anon_access = LDAP_ON; cfg->slapi_counters = LDAP_ON; cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS; cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN; @@ -4557,7 +4562,19 @@ config_get_require_secure_binds(void) retVal = slapdFrontendConfig->require_secure_binds; CFG_UNLOCK_READ(slapdFrontendConfig); -return retVal; + return retVal; +} + +int +config_get_anon_access_switch(void) +{ + int retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->allow_anon_access; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; } int @@ -5336,6 +5353,22 @@ config_set_require_secure_binds( const char *attrname, char *value, return retVal; } +int +config_set_anon_access_switch( const char *attrname, char *value, + char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + retVal = config_set_onoff(attrname, + value, + &(slapdFrontendConfig->allow_anon_access), + errorbuf, + apply); + + return retVal; +} + /* * This function is intended to be used from the dse code modify callback. It diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 4b1bbdf7..c408f690 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -344,6 +344,7 @@ int config_set_outbound_ldap_io_timeout( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_require_secure_binds(const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_anon_access_switch(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply); int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply); @@ -473,6 +474,7 @@ int config_get_rewrite_rfc1274(); int config_get_outbound_ldap_io_timeout(void); int config_get_unauth_binds_switch(void); int config_get_require_secure_binds(void); +int config_get_anon_access_switch(void); int config_get_csnlogging(); #ifdef MEMPOOL_EXPERIMENTAL int config_get_mempool_switch(); diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index ceb46b2c..ba65781c 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -1722,6 +1722,7 @@ typedef struct _slapdEntryPoints { #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab" #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds" #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds" +#define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access" #ifndef _WIN32 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser" #endif /* !_WIN32 */ @@ -2016,6 +2017,7 @@ typedef struct _slapdFrontendConfig { int slapi_counters; /* switch to turn slapi_counters on/off */ int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */ int require_secure_binds; /* switch to require simple binds to use a secure channel */ + int allow_anon_access; /* switch to enable/disable anonymous access */ size_t maxsasliosize; /* limit incoming SASL IO packet size */ #ifndef _WIN32 struct passwd *localuserinfo; /* userinfo of localuser */ |