From 51aea74259d5b28c76f4e5e273d6d1331c89321d Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Fri, 7 Nov 2008 22:32:57 +0000 Subject: Resolves: 316241 Summary: Add config setting to disable unauthenticated binds. --- ldap/servers/slapd/bind.c | 30 +++++++++++++++++++----------- ldap/servers/slapd/libglobs.c | 40 ++++++++++++++++++++++++++++++++++++++-- ldap/servers/slapd/proto-slap.h | 2 ++ ldap/servers/slapd/slap.h | 2 ++ 4 files changed, 61 insertions(+), 13 deletions(-) (limited to 'ldap/servers') diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index 152ab791..f52830f7 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -259,9 +259,6 @@ do_bind( Slapi_PBlock *pb ) PR_Lock( pb->pb_conn->c_mutex ); - /* According to RFC2251, - * "if the bind fails, the connection will be treated as anonymous". - */ bind_credentials_clear( pb->pb_conn, PR_FALSE, /* do not lock conn */ PR_FALSE /* do not clear external creds. */ ); @@ -442,6 +439,21 @@ do_bind( Slapi_PBlock *pb ) plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN ); } goto free_and_return; + } else if ( cred.bv_len == 0 ) { + /* Increment unauthenticated bind counter */ + slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds); + + /* Refuse the operation if unauthenticated binds are disabled. */ + if (!config_get_unauth_binds_switch()) { + /* As stated in RFC 4513, a server SHOULD by default fail + * Unauthenticated Bind requests with a resultCode of + * unwillingToPerform. */ + send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, + "Unauthenticated binds are not allowed", 0, NULL); + /* increment BindSecurityErrorcount */ + slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); + goto free_and_return; + } } break; default: @@ -453,26 +465,22 @@ do_bind( Slapi_PBlock *pb ) */ if ( isroot && method == LDAP_AUTH_SIMPLE ) { - if ( cred.bv_len == 0 ) { - /* unauthenticated bind */ - slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds); - - } else { + if (cred.bv_len != 0) { /* a passwd was supplied -- check it */ Slapi_Value cv; slapi_value_init_berval(&cv,&cred); + /* right dn and passwd - authorize */ if ( is_root_dn_pw( slapi_sdn_get_ndn(&sdn), &cv )) { - /* right dn and passwd - authorize */ bind_credentials_set( pb->pb_conn, SLAPD_AUTH_SIMPLE, slapi_ch_strdup( slapi_sdn_get_ndn(&sdn) ), NULL, NULL, NULL , NULL); - /* right dn, wrong passwd - reject with invalid creds */ + /* right dn, wrong passwd - reject with invalid creds */ } else { send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL ); - /* increment BindSecurityErrorcount */ + /* increment BindSecurityErrorcount */ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); value_done(&cv); goto free_and_return; diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index 9c58d06e..8c84f99f 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -491,7 +491,7 @@ static struct config_get_and_set { {CONFIG_SLAPI_COUNTER_ATTRIBUTE, config_set_slapi_counters, NULL, 0, (void**)&global_slapdFrontendConfig.slapi_counters, CONFIG_ON_OFF, - config_get_slapi_counters}, + (ConfigGetFunc)config_get_slapi_counters}, {CONFIG_ACCESSLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL, log_set_mindiskspace, SLAPD_ACCESS_LOG, (void**)&global_slapdFrontendConfig.accesslog_minfreespace, CONFIG_INT, NULL}, @@ -590,7 +590,11 @@ static struct config_get_and_set { config_set_outbound_ldap_io_timeout, NULL, 0, (void **)&global_slapdFrontendConfig.outbound_ldap_io_timeout, - CONFIG_INT, NULL} + CONFIG_INT, NULL}, + {CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch, + NULL, 0, + (void**)&global_slapdFrontendConfig.allow_unauth_binds, CONFIG_ON_OFF, + (ConfigGetFunc)config_get_unauth_binds_switch} #ifdef MEMPOOL_EXPERIMENTAL ,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch, NULL, 0, @@ -840,6 +844,7 @@ FrontendConfig_init () { #if defined(ENABLE_AUTO_DN_SUFFIX) cfg->ldapi_auto_dn_suffix = slapi_ch_strdup("cn=peercred,cn=external,cn=auth"); #endif + cfg->allow_unauth_binds = LDAP_OFF; cfg->slapi_counters = LDAP_ON; cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS; cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN; @@ -4427,6 +4432,20 @@ config_get_outbound_ldap_io_timeout(void) return retVal; } + +int +config_get_unauth_binds_switch(void) +{ + int retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->allow_unauth_binds; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + + int config_is_slapd_lite () { @@ -5124,6 +5143,23 @@ config_set_outbound_ldap_io_timeout( const char *attrname, char *value, } +int +config_set_unauth_binds_switch( const char *attrname, char *value, + char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + retVal = config_set_onoff(attrname, + value, + &(slapdFrontendConfig->allow_unauth_binds), + errorbuf, + apply); + + return retVal; +} + + /* * This function is intended to be used from the dse code modify callback. It * is "optimized" for that case because it takes a berval** of values, which is diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 61a5fe85..12b0e431 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -338,6 +338,7 @@ int config_set_hash_filters( const char *attrname, char *value, char *errorbuf, int config_set_rewrite_rfc1274( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_outbound_ldap_io_timeout( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply); int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply); @@ -461,6 +462,7 @@ int config_get_attrname_exceptions(); int config_get_hash_filters(); int config_get_rewrite_rfc1274(); int config_get_outbound_ldap_io_timeout(void); +int config_get_unauth_binds_switch(void); int config_get_csnlogging(); #ifdef MEMPOOL_EXPERIMENTAL int config_get_mempool_switch(); diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 38025aae..22451425 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -1693,6 +1693,7 @@ typedef struct _slapdEntryPoints { #define CONFIG_USEROC_ATTRIBUTE "nsslapd-useroc" #define CONFIG_USERAT_ATTRIBUTE "nsslapd-userat" #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab" +#define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds" #ifndef _WIN32 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser" #endif /* !_WIN32 */ @@ -1981,6 +1982,7 @@ typedef struct _slapdFrontendConfig { char *ldapi_search_base_dn; /* base dn to search for mapped entries */ char *ldapi_auto_dn_suffix; /* suffix to be appended to auto gen DNs */ int slapi_counters; /* switch to turn slapi_counters on/off */ + int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */ #ifndef _WIN32 struct passwd *localuserinfo; /* userinfo of localuser */ #endif /* _WIN32 */ -- cgit