From 3342ea3b4923df2c2560124a741d66d3012cb20a Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Mon, 11 Sep 2000 18:24:24 +0000 Subject: [PATCH] Add more bind allow/disallow flags --- doc/man/man5/slapd.conf.5 | 25 +++++++---- servers/slapd/bind.c | 88 ++++++++++++++++++++++++++++----------- servers/slapd/config.c | 6 +++ servers/slapd/slap.h | 2 +- 4 files changed, 88 insertions(+), 33 deletions(-) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 25563576ee..bae64808f0 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -73,7 +73,8 @@ by ). See the "OpenLDAP's Administrator's Guide" for details. .TP .B allow -Specify a set of features (separated by white space) to allow. +Specify a set of features (separated by white space) to +allow (default none). .B tls_2_anon allows Start TLS to force session to anonymous status (see also .B disallow @@ -133,16 +134,21 @@ directives be used instead. .RE .TP .B disallow -Specify a set of features (separated by white space) to disallow. +Specify a set of features (separated by white space) to +disallow (default none). .B bind_v2 disables acceptance of LDAPv2 bind requests. .B bind_anon disables acceptance of anonymous bind requests. .B bind_anon_cred -disables anonymous bind creditials are not empty (e.g. when -DN is empty). +disables anonymous bind creditials are not empty (e.g. +when DN is empty). .B bind_anon_dn disables anonymous bind when DN is not empty. +.B bind_simple +disables simple (bind) authentication. +.B bind_krbv4 +disables Kerberos V4 (bind) authentication. .B tls_authc disables StartTLS if authenticated (see also .B allow @@ -253,7 +259,8 @@ cannot find a local database to handle a request. If specified multiple times, each url is provided. .TP .B require -Specify a set of conditions (separated by white space) to require. +Specify a set of conditions (separated by white space) to +require (default none). The directive may be specified globally and/or per-database. .B bind requires bind operation prior to directory operations. @@ -489,7 +496,9 @@ for more information. Specify the distinguished name that is not subject to access control or administrative limit restrictions for operations on this database. This DN may or may not be associated with an entry. An empty root -DN, the default, specifies no root access is to be granted. +DN (the default) specifies no root access is to be granted. It is +recommended that the rootdn only be specified when needed (such as +when initially populating a database). .TP .B rootpw Specify a password (or hash of the password) for the rootdn. @@ -499,8 +508,8 @@ the server (see desription) as well as cleartext. .BR slappasswd (8) may be used to generate a hash of a password. Cleartext -and \fB{CRYPT}\fP passwords are not recommended. The default -is empty imply authentication of the root DN is by other means +and \fB{CRYPT}\fP passwords are not recommended. If empty +(the default), authentication of the root DN is by other means (e.g. SASL). Use of SASL is encouraged. .TP .B suffix diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index c9a00d9421..5358cec384 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -264,38 +264,78 @@ do_bind( ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); } - /* accept "anonymous" binds */ - if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) { - rc = LDAP_SUCCESS; - text = NULL; + if ( method == LDAP_AUTH_SIMPLE ) { + /* accept "anonymous" binds */ + if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) { + rc = LDAP_SUCCESS; + text = NULL; - if( cred.bv_len && - ( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED )) - { - /* cred is not empty, disallow */ - rc = LDAP_INVALID_CREDENTIALS; + if( cred.bv_len && + ( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED )) + { + /* cred is not empty, disallow */ + rc = LDAP_INVALID_CREDENTIALS; - } else if ( ndn != NULL && *ndn != '\0' && - ( global_disallows & SLAP_DISALLOW_BIND_ANON_DN )) - { - /* DN is not empty, disallow */ + } else if ( ndn != NULL && *ndn != '\0' && + ( global_disallows & SLAP_DISALLOW_BIND_ANON_DN )) + { + /* DN is not empty, disallow */ + rc = LDAP_UNWILLING_TO_PERFORM; + text = "unwilling to allow anonymous bind with non-empty DN"; + + } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) { + /* disallow */ + rc = LDAP_INAPPROPRIATE_AUTH; + text = "anonymous bind disallowed"; + } + + /* + * we already forced connection to "anonymous", + * just need to send success + */ + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); + Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n", + version, 0, 0 ); + goto cleanup; + + } else if ( global_disallows & SLAP_DISALLOW_BIND_SIMPLE ) { + /* disallow simple authentication */ rc = LDAP_UNWILLING_TO_PERFORM; - text = "unwilling to allow anonymous bind with non-empty DN"; + text = "unwilling to perform simple authentication"; - } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) { - /* disallow */ - rc = LDAP_UNWILLING_TO_PERFORM; - text = "anonymous bind disallowed"; + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); + Debug( LDAP_DEBUG_TRACE, + "do_bind: v%d simple bind(%s) disallowed\n", + version, ndn, 0 ); + goto cleanup; } - /* - * we already forced connection to "anonymous", - * just need to send success - */ +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + } else if ( method == LDAP_AUTH_KRBV41 || method == LDAP_AUTH_KRBV42 ) { + if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) { + /* disallow simple authentication */ + rc = LDAP_UNWILLING_TO_PERFORM; + text = "unwilling to perform Kerberos V4 bind"; + + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); + Debug( LDAP_DEBUG_TRACE, "do_bind: v%d Kerberos V4 bind\n", + version, 0, 0 ); + goto cleanup; + } +#endif + + } else { + rc = LDAP_AUTH_UNKNOWN; + text = "unknown authentication method"; + send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); - Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n", - version, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, + "do_bind: v%d unknown authentication method (%d)\n", + version, method, 0 ); goto cleanup; } diff --git a/servers/slapd/config.c b/servers/slapd/config.c index a95f014157..b364a3066e 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -576,6 +576,12 @@ read_config( const char *fname ) } else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) { disallows |= SLAP_DISALLOW_BIND_ANON_DN; + } else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_SIMPLE; + + } else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) { + disallows |= SLAP_DISALLOW_BIND_KRBV4; + } else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) { disallows |= SLAP_DISALLOW_TLS_AUTHC; diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index f986489477..69007e65e9 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -864,7 +864,7 @@ struct slap_backend_db { 0x0008U /* dn should be empty */ #define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */ -#define SLAP_DISALLOW_BIND_KERBEROS 0x0020U /* Kerberos authentication */ +#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */ #define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */