Commit 023d0e2a authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Rework unprotected simple bind checks

parent 06f69e60
......@@ -146,10 +146,9 @@ is protected by other means (e.g., TLS, {{TERM:IPSEC}}). Where the
administrator relies on TLS to protect the password, it is recommended
that unprotected authentication be disabled. This is done by setting
"{{EX:disallow bind_simple_unprotected}}" in {{slapd.conf}}(5).
The level of confidential protection to require can be adjusted
using the {{overall}} security strength factor using the {EX:security}}
directive. If this factor is not set (or set to integrity only),
any confidentiality protection is sufficient.
The {{EX:security}} directive's {{EX:simple_bind}} option provides
fine grain control over the level of confidential protection to
require for {{simple}} user/password authentication.
The user/password authenticated bind mechanism can be completely
disabled by setting "{{EX:disallow bind_simple}}".
......
......@@ -180,13 +180,12 @@ disables acceptance of anonymous bind requests.
disables simple (bind) authentication.
.B bind_simple_unprotected
disables simple (bind) authentication when confidentiality
protection (e.g. TLS) is not in place. The level of confidential
protection to require can be adjusted using the
.I overall security strength factor
using the
protection (e.g. TLS) is not in place. The
.B security
directive. If this factor is not set (or set to integrity only),
any confidentiality protection is sufficient.
directive's
.B simple_bind
option provides fine grain control over the confidentiality
protection required for simple bind.
.B bind_krbv4
disables Kerberos V4 (bind) authentication.
.B tls_2_anon
......@@ -701,6 +700,10 @@ directory updates.
.B update_sasl=<n>
specifies the SASL security strength factor to require for
directory updates.
.B simple_bind=<n>
specifies the security strength factor required for
.I simple
username/password authentication.
Note that the
.B transport
factor is measure of security provided by the underlying transport,
......
......@@ -866,6 +866,15 @@ backend_check_restrictions(
return LDAP_CONFIDENTIALITY_REQUIRED;
}
if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) {
/* simple bind specific check */
if( op->o_ssf < ssf->sss_simple_bind ) {
*text = "confidentiality required";
return LDAP_CONFIDENTIALITY_REQUIRED;
}
}
if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
/* these checks don't apply to SASL bind */
......
......@@ -419,7 +419,7 @@ do_bind(
goto cleanup;
} else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED )
&& ( op->o_ssf <= 1 || op->o_ssf < global_ssf_set.sss_ssf ))
&& ( op->o_ssf <= 1 ))
{
rc = LDAP_CONFIDENTIALITY_REQUIRED;
text = "unwilling to perform simple authentication "
......
......@@ -1317,9 +1317,6 @@ read_config( const char *fname, int depth )
} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_SIMPLE;
} else if( strcasecmp( cargv[i], "bind_simple_unprotected" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED;
} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_KRBV4;
......@@ -1480,6 +1477,12 @@ read_config( const char *fname, int depth )
set->sss_update_sasl =
atoi( &cargv[i][sizeof("update_sasl")] );
} else if( strncasecmp( cargv[i], "simple_bind=",
sizeof("simple_bind") ) == 0 )
{
set->sss_simple_bind =
atoi( &cargv[i][sizeof("simple_bind")] );
} else {
#ifdef NEW_LOGGING
LDAP_LOG( CONFIG, CRIT,
......
......@@ -164,6 +164,7 @@ typedef struct slap_ssf_set {
slap_ssf_t sss_update_transport;
slap_ssf_t sss_update_tls;
slap_ssf_t sss_update_sasl;
slap_ssf_t sss_simple_bind;
} slap_ssf_set_t;
/*
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment