Add more bind allow/disallow flags

This commit is contained in:
Kurt Zeilenga 2000-09-11 18:24:24 +00:00
parent 83af225383
commit 3342ea3b49
4 changed files with 88 additions and 33 deletions

View File

@ -73,7 +73,8 @@ by <who>).
See the "OpenLDAP's Administrator's Guide" for details.
.TP
.B allow <features>
Specify a set of features (separated by white space) to allow.
Specify a set of features (separated by white space) to
allow (default none).
.B tls_2_anon
allows Start TLS to force session to anonymous status (see also
.B disallow
@ -133,16 +134,21 @@ directives be used instead.
.RE
.TP
.B disallow <features>
Specify a set of features (separated by white space) to disallow.
Specify a set of features (separated by white space) to
disallow (default none).
.B bind_v2
disables acceptance of LDAPv2 bind requests.
.B bind_anon
disables acceptance of anonymous bind requests.
.B bind_anon_cred
disables anonymous bind creditials are not empty (e.g. when
DN is empty).
disables anonymous bind creditials are not empty (e.g.
when DN is empty).
.B bind_anon_dn
disables anonymous bind when DN is not empty.
.B bind_simple
disables simple (bind) authentication.
.B bind_krbv4
disables Kerberos V4 (bind) authentication.
.B tls_authc
disables StartTLS if authenticated (see also
.B allow
@ -253,7 +259,8 @@ cannot find a local database to handle a request.
If specified multiple times, each url is provided.
.TP
.B require <conditions>
Specify a set of conditions (separated by white space) to require.
Specify a set of conditions (separated by white space) to
require (default none).
The directive may be specified globally and/or per-database.
.B bind
requires bind operation prior to directory operations.
@ -489,7 +496,9 @@ for more information.
Specify the distinguished name that is not subject to access control
or administrative limit restrictions for operations on this database.
This DN may or may not be associated with an entry. An empty root
DN, the default, specifies no root access is to be granted.
DN (the default) specifies no root access is to be granted. It is
recommended that the rootdn only be specified when needed (such as
when initially populating a database).
.TP
.B rootpw <password>
Specify a password (or hash of the password) for the rootdn.
@ -499,8 +508,8 @@ the server (see
desription) as well as cleartext.
.BR slappasswd (8)
may be used to generate a hash of a password. Cleartext
and \fB{CRYPT}\fP passwords are not recommended. The default
is empty imply authentication of the root DN is by other means
and \fB{CRYPT}\fP passwords are not recommended. If empty
(the default), authentication of the root DN is by other means
(e.g. SASL). Use of SASL is encouraged.
.TP
.B suffix <dn suffix>

View File

@ -264,38 +264,78 @@ do_bind(
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
}
/* accept "anonymous" binds */
if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
rc = LDAP_SUCCESS;
text = NULL;
if ( method == LDAP_AUTH_SIMPLE ) {
/* accept "anonymous" binds */
if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
rc = LDAP_SUCCESS;
text = NULL;
if( cred.bv_len &&
( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
{
/* cred is not empty, disallow */
rc = LDAP_INVALID_CREDENTIALS;
if( cred.bv_len &&
( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
{
/* cred is not empty, disallow */
rc = LDAP_INVALID_CREDENTIALS;
} else if ( ndn != NULL && *ndn != '\0' &&
( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
{
/* DN is not empty, disallow */
} else if ( ndn != NULL && *ndn != '\0' &&
( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
{
/* DN is not empty, disallow */
rc = LDAP_UNWILLING_TO_PERFORM;
text = "unwilling to allow anonymous bind with non-empty DN";
} else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
/* disallow */
rc = LDAP_INAPPROPRIATE_AUTH;
text = "anonymous bind disallowed";
}
/*
* we already forced connection to "anonymous",
* just need to send success
*/
send_ldap_result( conn, op, rc,
NULL, text, NULL, NULL );
Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
version, 0, 0 );
goto cleanup;
} else if ( global_disallows & SLAP_DISALLOW_BIND_SIMPLE ) {
/* disallow simple authentication */
rc = LDAP_UNWILLING_TO_PERFORM;
text = "unwilling to allow anonymous bind with non-empty DN";
text = "unwilling to perform simple authentication";
} else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
/* disallow */
rc = LDAP_UNWILLING_TO_PERFORM;
text = "anonymous bind disallowed";
send_ldap_result( conn, op, rc,
NULL, text, NULL, NULL );
Debug( LDAP_DEBUG_TRACE,
"do_bind: v%d simple bind(%s) disallowed\n",
version, ndn, 0 );
goto cleanup;
}
/*
* we already forced connection to "anonymous",
* just need to send success
*/
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
} else if ( method == LDAP_AUTH_KRBV41 || method == LDAP_AUTH_KRBV42 ) {
if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) {
/* disallow simple authentication */
rc = LDAP_UNWILLING_TO_PERFORM;
text = "unwilling to perform Kerberos V4 bind";
send_ldap_result( conn, op, rc,
NULL, text, NULL, NULL );
Debug( LDAP_DEBUG_TRACE, "do_bind: v%d Kerberos V4 bind\n",
version, 0, 0 );
goto cleanup;
}
#endif
} else {
rc = LDAP_AUTH_UNKNOWN;
text = "unknown authentication method";
send_ldap_result( conn, op, rc,
NULL, text, NULL, NULL );
Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
version, 0, 0 );
Debug( LDAP_DEBUG_TRACE,
"do_bind: v%d unknown authentication method (%d)\n",
version, method, 0 );
goto cleanup;
}

View File

@ -576,6 +576,12 @@ read_config( const char *fname )
} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_ANON_DN;
} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_SIMPLE;
} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_KRBV4;
} else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) {
disallows |= SLAP_DISALLOW_TLS_AUTHC;

View File

@ -864,7 +864,7 @@ struct slap_backend_db {
0x0008U /* dn should be empty */
#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */
#define SLAP_DISALLOW_BIND_KERBEROS 0x0020U /* Kerberos authentication */
#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */
#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */