Add more bind allow/disallow flags

doc/man/man5/slapd.conf.5

@@ -73,7 +73,8 @@ by <who>).
 See the "OpenLDAP's Administrator's Guide" for details.
 .TP
 .B allow <features>
-Specify a set of features (separated by white space) to allow.
+Specify a set of features (separated by white space) to
+allow (default none).
 .B tls_2_anon
 allows Start TLS to force session to anonymous status (see also
 .B disallow
@@ -133,16 +134,21 @@ directives be used instead.
 .RE
 .TP
 .B disallow <features>
-Specify a set of features (separated by white space) to disallow.
+Specify a set of features (separated by white space) to
+disallow (default none).
 .B bind_v2
 disables acceptance of LDAPv2 bind requests.
 .B bind_anon
 disables acceptance of anonymous bind requests.
 .B bind_anon_cred
-disables anonymous bind creditials are not empty (e.g. when
-DN is empty).
+disables anonymous bind creditials are not empty (e.g.
+when DN is empty).
 .B bind_anon_dn
 disables anonymous bind when DN is not empty.
+.B bind_simple
+disables simple (bind) authentication.
+.B bind_krbv4
+disables Kerberos V4 (bind) authentication.
 .B tls_authc
 disables StartTLS if authenticated (see also
 .B allow
@@ -253,7 +259,8 @@ cannot find a local database to handle a request.
 If specified multiple times, each url is provided.
 .TP
 .B require <conditions>
-Specify a set of conditions (separated by white space) to require.
+Specify a set of conditions (separated by white space) to
+require (default none).
 The directive may be specified globally and/or per-database.
 .B bind
 requires bind operation prior to directory operations.
@@ -489,7 +496,9 @@ for more information.
 Specify the distinguished name that is not subject to access control 
 or administrative limit restrictions for operations on this database.
 This DN may or may not be associated with an entry.  An empty root
-DN, the default, specifies no root access is to be granted.
+DN (the default) specifies no root access is to be granted.  It is
+recommended that the rootdn only be specified when needed (such as
+when initially populating a database).
 .TP
 .B rootpw <password>
 Specify a password (or hash of the password) for the rootdn.
@@ -499,8 +508,8 @@ the server (see
 desription) as well as cleartext.
 .BR slappasswd (8) 
 may be used to generate a hash of a password.  Cleartext
-and \fB{CRYPT}\fP passwords are not recommended.  The default
-is empty imply authentication of the root DN is by other means
+and \fB{CRYPT}\fP passwords are not recommended.  If empty
+(the default), authentication of the root DN is by other means
 (e.g. SASL).  Use of SASL is encouraged.
 .TP
 .B suffix <dn suffix>

servers/slapd/bind.c

@@ -264,6 +264,7 @@ do_bind(
 		ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 	}
 
+	if ( method == LDAP_AUTH_SIMPLE ) {
 		/* accept "anonymous" binds */
 		if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
 			rc = LDAP_SUCCESS;
@@ -284,7 +285,7 @@ do_bind(
 
 			} else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
 				/* disallow */
-			rc = LDAP_UNWILLING_TO_PERFORM;
+				rc = LDAP_INAPPROPRIATE_AUTH;
 				text = "anonymous bind disallowed";
 			}
 
@@ -297,6 +298,45 @@ do_bind(
 			Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
 		   		version, 0, 0 );
 			goto cleanup;
+
+		} else if ( global_disallows & SLAP_DISALLOW_BIND_SIMPLE ) {
+			/* disallow simple authentication */
+			rc = LDAP_UNWILLING_TO_PERFORM;
+			text = "unwilling to perform simple authentication";
+
+			send_ldap_result( conn, op, rc,
+				NULL, text, NULL, NULL );
+			Debug( LDAP_DEBUG_TRACE,
+				"do_bind: v%d simple bind(%s) disallowed\n",
+		   		version, ndn, 0 );
+			goto cleanup;
+		}
+
+#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
+	} else if ( method == LDAP_AUTH_KRBV41 || method == LDAP_AUTH_KRBV42 ) {
+		if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) {
+			/* disallow simple authentication */
+			rc = LDAP_UNWILLING_TO_PERFORM;
+			text = "unwilling to perform Kerberos V4 bind";
+
+			send_ldap_result( conn, op, rc,
+				NULL, text, NULL, NULL );
+			Debug( LDAP_DEBUG_TRACE, "do_bind: v%d Kerberos V4 bind\n",
+				version, 0, 0 );
+			goto cleanup;
+		}
+#endif
+
+	} else {
+		rc = LDAP_AUTH_UNKNOWN;
+		text = "unknown authentication method";
+
+		send_ldap_result( conn, op, rc,
+			NULL, text, NULL, NULL );
+		Debug( LDAP_DEBUG_TRACE,
+			"do_bind: v%d unknown authentication method (%d)\n",
+			version, method, 0 );
+		goto cleanup;
 	}
 
 	/*

servers/slapd/config.c

@@ -576,6 +576,12 @@ read_config( const char *fname )
 				} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_BIND_ANON_DN;
 
+				} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
+					disallows |= SLAP_DISALLOW_BIND_SIMPLE;
+
+				} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
+					disallows |= SLAP_DISALLOW_BIND_KRBV4;
+
 				} else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_TLS_AUTHC;
 

servers/slapd/slap.h

@@ -864,7 +864,7 @@ struct slap_backend_db {
 								0x0008U /* dn should be empty */
 
 #define SLAP_DISALLOW_BIND_SIMPLE	0x0010U	/* simple authentication */
-#define SLAP_DISALLOW_BIND_KERBEROS	0x0020U /* Kerberos authentication */
+#define SLAP_DISALLOW_BIND_KRBV4	0x0020U /* Kerberos V4 authentication */
 
 #define SLAP_DISALLOW_TLS_AUTHC	0x0100U	/* TLS while authenticated */