From ff7d08dc8bd356df7d29c771da420aec2e099e2d Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Thu, 24 Sep 2009 12:02:29 -0700 Subject: Allow anonymous access to be disabled. This adds a new config switch (nsslapd-allow-anonymous-access) that allows one to restrict all anonymous access. When this is enabled, the connection displatch code will only allow BIND operations through for an unauthenticated user. The BIND code will only allow the operation through if it's not an anonymous or unauthenticated BIND. I also fixed a missing capability in the SELinux policy that I ran into while testing this patch. --- ldap/servers/slapd/proto-slap.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'ldap/servers/slapd/proto-slap.h') diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 4b1bbdf7..c408f690 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -344,6 +344,7 @@ int config_set_outbound_ldap_io_timeout( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_require_secure_binds(const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_anon_access_switch(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply); int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply); @@ -473,6 +474,7 @@ int config_get_rewrite_rfc1274(); int config_get_outbound_ldap_io_timeout(void); int config_get_unauth_binds_switch(void); int config_get_require_secure_binds(void); +int config_get_anon_access_switch(void); int config_get_csnlogging(); #ifdef MEMPOOL_EXPERIMENTAL int config_get_mempool_switch(); -- cgit