mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Add more bind allow/disallow flags
This commit is contained in:
parent
83af225383
commit
3342ea3b49
@ -73,7 +73,8 @@ by <who>).
|
||||
See the "OpenLDAP's Administrator's Guide" for details.
|
||||
.TP
|
||||
.B allow <features>
|
||||
Specify a set of features (separated by white space) to allow.
|
||||
Specify a set of features (separated by white space) to
|
||||
allow (default none).
|
||||
.B tls_2_anon
|
||||
allows Start TLS to force session to anonymous status (see also
|
||||
.B disallow
|
||||
@ -133,16 +134,21 @@ directives be used instead.
|
||||
.RE
|
||||
.TP
|
||||
.B disallow <features>
|
||||
Specify a set of features (separated by white space) to disallow.
|
||||
Specify a set of features (separated by white space) to
|
||||
disallow (default none).
|
||||
.B bind_v2
|
||||
disables acceptance of LDAPv2 bind requests.
|
||||
.B bind_anon
|
||||
disables acceptance of anonymous bind requests.
|
||||
.B bind_anon_cred
|
||||
disables anonymous bind creditials are not empty (e.g. when
|
||||
DN is empty).
|
||||
disables anonymous bind creditials are not empty (e.g.
|
||||
when DN is empty).
|
||||
.B bind_anon_dn
|
||||
disables anonymous bind when DN is not empty.
|
||||
.B bind_simple
|
||||
disables simple (bind) authentication.
|
||||
.B bind_krbv4
|
||||
disables Kerberos V4 (bind) authentication.
|
||||
.B tls_authc
|
||||
disables StartTLS if authenticated (see also
|
||||
.B allow
|
||||
@ -253,7 +259,8 @@ cannot find a local database to handle a request.
|
||||
If specified multiple times, each url is provided.
|
||||
.TP
|
||||
.B require <conditions>
|
||||
Specify a set of conditions (separated by white space) to require.
|
||||
Specify a set of conditions (separated by white space) to
|
||||
require (default none).
|
||||
The directive may be specified globally and/or per-database.
|
||||
.B bind
|
||||
requires bind operation prior to directory operations.
|
||||
@ -489,7 +496,9 @@ for more information.
|
||||
Specify the distinguished name that is not subject to access control
|
||||
or administrative limit restrictions for operations on this database.
|
||||
This DN may or may not be associated with an entry. An empty root
|
||||
DN, the default, specifies no root access is to be granted.
|
||||
DN (the default) specifies no root access is to be granted. It is
|
||||
recommended that the rootdn only be specified when needed (such as
|
||||
when initially populating a database).
|
||||
.TP
|
||||
.B rootpw <password>
|
||||
Specify a password (or hash of the password) for the rootdn.
|
||||
@ -499,8 +508,8 @@ the server (see
|
||||
desription) as well as cleartext.
|
||||
.BR slappasswd (8)
|
||||
may be used to generate a hash of a password. Cleartext
|
||||
and \fB{CRYPT}\fP passwords are not recommended. The default
|
||||
is empty imply authentication of the root DN is by other means
|
||||
and \fB{CRYPT}\fP passwords are not recommended. If empty
|
||||
(the default), authentication of the root DN is by other means
|
||||
(e.g. SASL). Use of SASL is encouraged.
|
||||
.TP
|
||||
.B suffix <dn suffix>
|
||||
|
@ -264,38 +264,78 @@ do_bind(
|
||||
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
|
||||
}
|
||||
|
||||
/* accept "anonymous" binds */
|
||||
if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
|
||||
rc = LDAP_SUCCESS;
|
||||
text = NULL;
|
||||
if ( method == LDAP_AUTH_SIMPLE ) {
|
||||
/* accept "anonymous" binds */
|
||||
if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
|
||||
rc = LDAP_SUCCESS;
|
||||
text = NULL;
|
||||
|
||||
if( cred.bv_len &&
|
||||
( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
|
||||
{
|
||||
/* cred is not empty, disallow */
|
||||
rc = LDAP_INVALID_CREDENTIALS;
|
||||
if( cred.bv_len &&
|
||||
( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
|
||||
{
|
||||
/* cred is not empty, disallow */
|
||||
rc = LDAP_INVALID_CREDENTIALS;
|
||||
|
||||
} else if ( ndn != NULL && *ndn != '\0' &&
|
||||
( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
|
||||
{
|
||||
/* DN is not empty, disallow */
|
||||
} else if ( ndn != NULL && *ndn != '\0' &&
|
||||
( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
|
||||
{
|
||||
/* DN is not empty, disallow */
|
||||
rc = LDAP_UNWILLING_TO_PERFORM;
|
||||
text = "unwilling to allow anonymous bind with non-empty DN";
|
||||
|
||||
} else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
|
||||
/* disallow */
|
||||
rc = LDAP_INAPPROPRIATE_AUTH;
|
||||
text = "anonymous bind disallowed";
|
||||
}
|
||||
|
||||
/*
|
||||
* we already forced connection to "anonymous",
|
||||
* just need to send success
|
||||
*/
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, text, NULL, NULL );
|
||||
Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
|
||||
version, 0, 0 );
|
||||
goto cleanup;
|
||||
|
||||
} else if ( global_disallows & SLAP_DISALLOW_BIND_SIMPLE ) {
|
||||
/* disallow simple authentication */
|
||||
rc = LDAP_UNWILLING_TO_PERFORM;
|
||||
text = "unwilling to allow anonymous bind with non-empty DN";
|
||||
text = "unwilling to perform simple authentication";
|
||||
|
||||
} else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
|
||||
/* disallow */
|
||||
rc = LDAP_UNWILLING_TO_PERFORM;
|
||||
text = "anonymous bind disallowed";
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, text, NULL, NULL );
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"do_bind: v%d simple bind(%s) disallowed\n",
|
||||
version, ndn, 0 );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/*
|
||||
* we already forced connection to "anonymous",
|
||||
* just need to send success
|
||||
*/
|
||||
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
|
||||
} else if ( method == LDAP_AUTH_KRBV41 || method == LDAP_AUTH_KRBV42 ) {
|
||||
if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) {
|
||||
/* disallow simple authentication */
|
||||
rc = LDAP_UNWILLING_TO_PERFORM;
|
||||
text = "unwilling to perform Kerberos V4 bind";
|
||||
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, text, NULL, NULL );
|
||||
Debug( LDAP_DEBUG_TRACE, "do_bind: v%d Kerberos V4 bind\n",
|
||||
version, 0, 0 );
|
||||
goto cleanup;
|
||||
}
|
||||
#endif
|
||||
|
||||
} else {
|
||||
rc = LDAP_AUTH_UNKNOWN;
|
||||
text = "unknown authentication method";
|
||||
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, text, NULL, NULL );
|
||||
Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
|
||||
version, 0, 0 );
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"do_bind: v%d unknown authentication method (%d)\n",
|
||||
version, method, 0 );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
|
@ -576,6 +576,12 @@ read_config( const char *fname )
|
||||
} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_BIND_ANON_DN;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_BIND_SIMPLE;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_BIND_KRBV4;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_TLS_AUTHC;
|
||||
|
||||
|
@ -864,7 +864,7 @@ struct slap_backend_db {
|
||||
0x0008U /* dn should be empty */
|
||||
|
||||
#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */
|
||||
#define SLAP_DISALLOW_BIND_KERBEROS 0x0020U /* Kerberos authentication */
|
||||
#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */
|
||||
|
||||
#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user