5 files changed, 72 insertions, 4 deletions

diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 359252f4..bf54d3ca 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -424,10 +424,19 @@ do_bind( Slapi_PBlock *pb )
         /* accept null binds */
         if (dn == NULL || *dn == '\0') {
             slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsAnonymousBinds);
-            /* by definition its anonymous is also UnAuthenticated so increment 
+            /* by definition anonymous is also unauthenticated so increment 
                that counter */
             slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
 
+            /* Refuse the operation if anonymous access is disabled. */
+            if (!config_get_anon_access_switch()) {
+                send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+                                 "Anonymous access is not allowed", 0, NULL);
+                /* increment BindSecurityErrorcount */
+                slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+                goto free_and_return;
+            }
+
             /* call preop plugins */
             if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){
                 if ( auth_response_requested ) {
@@ -444,6 +453,15 @@ do_bind( Slapi_PBlock *pb )
             /* Increment unauthenticated bind counter */
             slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
 
+            /* Refuse the operation if anonymous access is disabled. */
+            if (!config_get_anon_access_switch()) {
+                send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+                                 "Anonymous access is not allowed", 0, NULL);
+                /* increment BindSecurityErrorcount */
+                slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+                goto free_and_return;
+            }
+
             /* Refuse the operation if unauthenticated binds are disabled. */
             if (!config_get_unauth_binds_switch()) {
                 /* As stated in RFC 4513, a server SHOULD by default fail
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index 8b1e2e5a..4dd81f97 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -480,8 +480,21 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb)
 	/* Copy the Connection DN into the operation struct */
 	op_copy_identity( conn, op );
 
-	/* process the operation */
+	/* If anonymous access is disabled and the connection is
+	 * not authenticated, only allow the BIND operation. */
+	if (!config_get_anon_access_switch() && (op->o_tag != LDAP_REQ_BIND) &&
+            ((op->o_authtype == NULL) || (strcasecmp(op->o_authtype, SLAPD_AUTH_NONE) == 0))) {
+		slapi_log_access( LDAP_DEBUG_STATS,
+			"conn=%" NSPRIu64 " op=%d UNPROCESSED OPERATION\n",
+            		conn->c_connid, op->o_opid );
+
+		send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+                                  "Anonymous access is not allowed.",
+                                  0, NULL );
+		return;
+	}
 
+	/* process the operation */
 	switch ( op->o_tag ) {
 	case LDAP_REQ_BIND:
 		operation_set_type(op,SLAPI_OPERATION_BIND);
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 3d203534..5eb1afd5 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -609,7 +609,11 @@ static struct config_get_and_set {
 	{CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE, config_set_require_secure_binds,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.require_secure_binds, CONFIG_ON_OFF,
-		(ConfigGetFunc)config_get_require_secure_binds}
+		(ConfigGetFunc)config_get_require_secure_binds},
+	{CONFIG_ANON_ACCESS_ATTRIBUTE, config_set_anon_access_switch,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.allow_anon_access, CONFIG_ON_OFF,
+		(ConfigGetFunc)config_get_anon_access_switch}
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -861,6 +865,7 @@ FrontendConfig_init () {
 #endif
   cfg->allow_unauth_binds = LDAP_OFF;
   cfg->require_secure_binds = LDAP_OFF;
+  cfg->allow_anon_access = LDAP_ON;
   cfg->slapi_counters = LDAP_ON;
   cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
   cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
@@ -4557,7 +4562,19 @@ config_get_require_secure_binds(void)
 	retVal = slapdFrontendConfig->require_secure_binds;
 	CFG_UNLOCK_READ(slapdFrontendConfig);
 
-return retVal;
+	return retVal;
+}
+
+int
+config_get_anon_access_switch(void)
+{
+	int retVal;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+	CFG_LOCK_READ(slapdFrontendConfig);
+	retVal = slapdFrontendConfig->allow_anon_access;
+	CFG_UNLOCK_READ(slapdFrontendConfig);
+
+	return retVal;
 }
 
 int
@@ -5336,6 +5353,22 @@ config_set_require_secure_binds( const char *attrname, char *value,
 	return retVal;
 }
 
+int
+config_set_anon_access_switch( const char *attrname, char *value,
+		char *errorbuf, int apply )
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->allow_anon_access),
+		errorbuf,
+		apply);
+
+	return retVal;
+}
+
 
 /*
  * This function is intended to be used from the dse code modify callback.  It
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 4b1bbdf7..c408f690 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -344,6 +344,7 @@ int config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
 		char *errorbuf, int apply );
 int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_require_secure_binds(const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_anon_access_switch(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
 
@@ -473,6 +474,7 @@ int config_get_rewrite_rfc1274();
 int config_get_outbound_ldap_io_timeout(void);
 int config_get_unauth_binds_switch(void);
 int config_get_require_secure_binds(void);
+int config_get_anon_access_switch(void);
 int config_get_csnlogging();
 #ifdef MEMPOOL_EXPERIMENTAL
 int config_get_mempool_switch();
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index ceb46b2c..ba65781c 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1722,6 +1722,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
 #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
 #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
+#define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access"
 #ifndef _WIN32
 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
 #endif /* !_WIN32 */
@@ -2016,6 +2017,7 @@ typedef struct _slapdFrontendConfig {
   int slapi_counters;           /* switch to turn slapi_counters on/off */
   int allow_unauth_binds;       /* switch to enable/disable unauthenticated binds */
   int require_secure_binds;	/* switch to require simple binds to use a secure channel */
+  int allow_anon_access;	/* switch to enable/disable anonymous access */
   size_t maxsasliosize;         /* limit incoming SASL IO packet size */
 #ifndef _WIN32
   struct passwd *localuserinfo; /* userinfo of localuser */