mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-18 11:05:48 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add "allow tls_2_anon" to allow StartTLS to force session to anonymous.

Browse Source 
Add "disallow tls_authc" to disallow StartTLS when session is authenticated.
Create and use connection2anonymous routine for consistency.
This commit is contained in:
Kurt Zeilenga 2000-09-08 22:59:01 +00:00
parent 2c342e894c
commit 2e13824d0d
8 changed files with 109 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/man/man5/slapd.conf.5
View File

@ -72,6 +72,13 @@ attributes (specified by <what>) by one or more requestors (specified
by <who>). by <who>).
See the "OpenLDAP's Administrator's Guide" for details. See the "OpenLDAP's Administrator's Guide" for details.
.TP .TP
.B allow <features>
Specify a set of features (separated by white space) to allow.
.B tls_2_anon
allows Start TLS to force session to anonymous status (see also
.B disallow
.BR tls_authc ).
.TP
.B argsfile <filename> .B argsfile <filename>
The ( absolute ) name of a file that will hold the The ( absolute ) name of a file that will hold the
.B slapd .B slapd
@ -136,6 +143,10 @@ disables anonymous bind creditials are not empty (e.g. when
DN is empty). DN is empty).
.B bind_anon_dn .B bind_anon_dn
disables anonymous bind when DN is not empty. disables anonymous bind when DN is not empty.
.B tls_authc
disables StartTLS if authenticated (see also
.B allow
.BR tls_2_anon ).
.TP .TP
.B idletimeout <integer> .B idletimeout <integer>
Specify the number of seconds to wait before forcibly closing Specify the number of seconds to wait before forcibly closing

23
servers/slapd/bind.c
View File

@ -53,30 +53,11 @@ do_bind(
mech = NULL; mech = NULL;
cred.bv_val = NULL; cred.bv_val = NULL;
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
/* /*
* Force to connection to "anonymous" until bind succeeds. * Force to connection to "anonymous" until bind succeeds.
*/ */
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
if ( conn->c_authmech != NULL ) { connection2anonymous( conn );
free( conn->c_authmech );
conn->c_authmech = NULL;
}
if ( conn->c_cdn != NULL ) {
free( conn->c_cdn );
conn->c_cdn = NULL;
}
if ( conn->c_dn != NULL ) {
free( conn->c_dn );
conn->c_dn = NULL;
}
conn->c_authc_backend = NULL;
conn->c_authz_backend = NULL;
ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
if ( op->o_dn != NULL ) { if ( op->o_dn != NULL ) {

41
servers/slapd/config.c
View File

@ -26,6 +26,7 @@ int deftime = SLAPD_DEFAULT_TIMELIMIT;
AccessControl *global_acl = NULL; AccessControl *global_acl = NULL;
slap_access_t global_default_access = ACL_READ; slap_access_t global_default_access = ACL_READ;
slap_mask_t global_restrictops = 0; slap_mask_t global_restrictops = 0;
slap_mask_t global_allows = 0;
slap_mask_t global_disallows = 0; slap_mask_t global_disallows = 0;
slap_mask_t global_requires = 0; slap_mask_t global_requires = 0;
slap_ssf_set_t global_ssf_set; slap_ssf_set_t global_ssf_set;
@ -506,6 +507,41 @@ read_config( const char *fname )
} }
/* allow these features */
} else if ( strcasecmp( cargv[0], "allows" ) == 0 ||
strcasecmp( cargv[0], "allow" ) == 0 )
{
slap_mask_t allows;
if ( be != NULL ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: allow line must appear prior to database definitions\n",
fname, lineno, 0 );
}
if ( cargc < 2 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: missing feature(s) in \"allow <features>\" line\n",
fname, lineno, 0 );
return( 1 );
}
allows = 0;
for( i=1; i < cargc; i++ ) {
if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) {
allows |= SLAP_ALLOW_TLS_2_ANON;
} else if( strcasecmp( cargv[i], "none" ) != 0 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown feature %s in \"allow <features>\" line\n",
fname, lineno, cargv[i] );
return( 1 );
}
}
global_allows = allows;
/* disallow these features */ /* disallow these features */
} else if ( strcasecmp( cargv[0], "disallows" ) == 0 || } else if ( strcasecmp( cargv[0], "disallows" ) == 0 ||
strcasecmp( cargv[0], "disallow" ) == 0 ) strcasecmp( cargv[0], "disallow" ) == 0 )
@ -520,7 +556,7 @@ read_config( const char *fname )
if ( cargc < 2 ) { if ( cargc < 2 ) {
Debug( LDAP_DEBUG_ANY, Debug( LDAP_DEBUG_ANY,
"%s: line %d: missing feature(s) in \"disallows <features>\" line\n", "%s: line %d: missing feature(s) in \"disallow <features>\" line\n",
fname, lineno, 0 ); fname, lineno, 0 );
return( 1 ); return( 1 );
} }
@ -540,6 +576,9 @@ read_config( const char *fname )
} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) { } else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_ANON_DN; disallows |= SLAP_DISALLOW_BIND_ANON_DN;
} else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) {
disallows |= SLAP_DISALLOW_TLS_AUTHC;
} else if( strcasecmp( cargv[i], "none" ) != 0 ) { } else if( strcasecmp( cargv[i], "none" ) != 0 ) {
Debug( LDAP_DEBUG_ANY, Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown feature %s in \"disallow <features>\" line\n", "%s: line %d: unknown feature %s in \"disallow <features>\" line\n",

39
servers/slapd/connection.c
View File

@ -473,6 +473,30 @@ long connection_init(
return id; return id;
} }
void connection2anonymous( Connection *c )
{
assert( connections != NULL );
assert( c != NULL );
if(c->c_authmech != NULL ) {
free(c->c_authmech);
c->c_authmech = NULL;
}
if(c->c_dn != NULL) {
free(c->c_dn);
c->c_dn = NULL;
}
if(c->c_cdn != NULL) {
free(c->c_cdn);
c->c_cdn = NULL;
}
c->c_authc_backend = NULL;
c->c_authz_backend = NULL;
}
static void static void
connection_destroy( Connection *c ) connection_destroy( Connection *c )
{ {
@ -492,22 +516,13 @@ connection_destroy( Connection *c )
c->c_activitytime = c->c_starttime = 0; c->c_activitytime = c->c_starttime = 0;
if(c->c_authmech != NULL ) { connection2anonymous( c );
free(c->c_authmech);
c->c_authmech = NULL;
}
if(c->c_dn != NULL) {
free(c->c_dn);
c->c_dn = NULL;
}
if(c->c_cdn != NULL) {
free(c->c_cdn);
c->c_cdn = NULL;
}
if(c->c_listener_url != NULL) { if(c->c_listener_url != NULL) {
free(c->c_listener_url); free(c->c_listener_url);
c->c_listener_url = NULL; c->c_listener_url = NULL;
} }
if(c->c_peer_domain != NULL) { if(c->c_peer_domain != NULL) {
free(c->c_peer_domain); free(c->c_peer_domain);
c->c_peer_domain = NULL; c->c_peer_domain = NULL;

3
servers/slapd/proto-slap.h
View File

@ -286,6 +286,8 @@ LDAP_SLAPD_F (Connection *) connection_first LDAP_P((ber_socket_t *));
LDAP_SLAPD_F (Connection *) connection_next LDAP_P((Connection *, ber_socket_t *)); LDAP_SLAPD_F (Connection *) connection_next LDAP_P((Connection *, ber_socket_t *));
LDAP_SLAPD_F (void) connection_done LDAP_P((Connection *)); LDAP_SLAPD_F (void) connection_done LDAP_P((Connection *));
LDAP_SLAPD_F (void) connection2anonymous LDAP_P((Connection *));
/* /*
* dn.c * dn.c
*/ */
@ -753,6 +755,7 @@ LDAP_SLAPD_F (int) krbv4_ldap_auth();
*/ */
LDAP_SLAPD_F (slap_mask_t) global_restrictops; LDAP_SLAPD_F (slap_mask_t) global_restrictops;
LDAP_SLAPD_F (slap_mask_t) global_allows;
LDAP_SLAPD_F (slap_mask_t) global_disallows; LDAP_SLAPD_F (slap_mask_t) global_disallows;
LDAP_SLAPD_F (slap_mask_t) global_requires; LDAP_SLAPD_F (slap_mask_t) global_requires;
LDAP_SLAPD_F (slap_ssf_set_t) global_ssf_set; LDAP_SLAPD_F (slap_ssf_set_t) global_ssf_set;

8
servers/slapd/slap.h
View File

@ -854,6 +854,8 @@ struct slap_backend_db {
| SLAP_RESTRICT_OP_MODIFY \ | SLAP_RESTRICT_OP_MODIFY \
| SLAP_RESTRICT_OP_RENAME ) | SLAP_RESTRICT_OP_RENAME )
#define SLAP_ALLOW_TLS_2_ANON 0x0001U /* StartTLS -> Anonymous */
#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ #define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */
#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */ #define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */
#define SLAP_DISALLOW_BIND_ANON_CRED \ #define SLAP_DISALLOW_BIND_ANON_CRED \
@ -861,6 +863,11 @@ struct slap_backend_db {
#define SLAP_DISALLOW_BIND_ANON_DN \ #define SLAP_DISALLOW_BIND_ANON_DN \
0x0008U /* dn should be empty */ 0x0008U /* dn should be empty */
#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */
#define SLAP_DISALLOW_BIND_KERBEROS 0x0020U /* Kerberos authentication */
#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */
slap_mask_t be_requires; /* pre-operation requirements */ slap_mask_t be_requires; /* pre-operation requirements */
#define SLAP_REQUIRE_BIND 0x0001U /* bind before op */ #define SLAP_REQUIRE_BIND 0x0001U /* bind before op */
#define SLAP_REQUIRE_LDAP_V3 0x0002U /* LDAPv3 before op */ #define SLAP_REQUIRE_LDAP_V3 0x0002U /* LDAPv3 before op */
@ -868,7 +875,6 @@ struct slap_backend_db {
#define SLAP_REQUIRE_SASL 0x0008U /* SASL before op */ #define SLAP_REQUIRE_SASL 0x0008U /* SASL before op */
#define SLAP_REQUIRE_STRONG 0x0010U /* strong authentication before op */ #define SLAP_REQUIRE_STRONG 0x0010U /* strong authentication before op */
/* Required Security Strength Factor */ /* Required Security Strength Factor */
slap_ssf_set_t be_ssf_set; slap_ssf_set_t be_ssf_set;

15
servers/slapd/starttls.c
View File

@ -59,6 +59,21 @@ starttls_extop (
goto done; goto done;
} }
if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
( conn->c_dn != NULL ) )
{
*text = "cannot start TLS after authentication";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) &&
( conn->c_dn != NULL ) )
{
/* force to anonymous */
connection2anonymous( conn );
}
/* fail if TLS could not be initialized */ /* fail if TLS could not be initialized */
if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0 if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0
|| ctx == NULL) || ctx == NULL)

4
servers/slapd/tools/mimic.c
View File

@ -152,3 +152,7 @@ char * slap_sasl_secprops( const char *in )
return NULL; return NULL;
} }
void connection2anonymous( Connection *c )
{
assert(0);
}