Rework unprotected simple bind checks

doc/guide/admin/security.sdf

@@ -146,10 +146,9 @@ is protected by other means (e.g., TLS, {{TERM:IPSEC}}).  Where the
 administrator relies on TLS to protect the password, it is recommended
 that unprotected authentication be disabled.  This is done by setting
 "{{EX:disallow bind_simple_unprotected}}" in {{slapd.conf}}(5).
-The level of confidential protection to require can be adjusted
-using the {{overall}} security strength factor using the {EX:security}}
-directive.  If this factor is not set (or set to integrity only),
-any confidentiality protection is sufficient.
+The {{EX:security}} directive's {{EX:simple_bind}} option provides
+fine grain control over the level of confidential protection to
+require for {{simple}} user/password authentication.
 
 The user/password authenticated bind mechanism can be completely
 disabled by setting "{{EX:disallow bind_simple}}".

doc/man/man5/slapd.conf.5

@@ -180,13 +180,12 @@ disables acceptance of anonymous bind requests.
 disables simple (bind) authentication.
 .B bind_simple_unprotected
 disables simple (bind) authentication when confidentiality
-protection (e.g. TLS) is not in place.  The level of confidential
-protection to require can be adjusted using the
-.I overall security strength factor
-using the
+protection (e.g. TLS) is not in place.  The
 .B security
-directive.  If this factor is not set (or set to integrity only),
-any confidentiality protection is sufficient.
+directive's
+.B simple_bind
+option provides fine grain control over the confidentiality
+protection required for simple bind.
 .B bind_krbv4
 disables Kerberos V4 (bind) authentication.
 .B tls_2_anon
@@ -701,6 +700,10 @@ directory updates.
 .B update_sasl=<n>
 specifies the SASL security strength factor to require for
 directory updates.
+.B simple_bind=<n>
+specifies the security strength factor required for
+.I simple
+username/password authentication.
 Note that the
 .B transport
 factor is measure of security provided by the underlying transport,

servers/slapd/backend.c

@@ -866,6 +866,15 @@ backend_check_restrictions(
 			return LDAP_CONFIDENTIALITY_REQUIRED;
 		}
 
+
+		if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) {
+			/* simple bind specific check */
+			if( op->o_ssf < ssf->sss_simple_bind ) {
+				*text = "confidentiality required";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
+		}
+
 		if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
 			/* these checks don't apply to SASL bind */
 

servers/slapd/bind.c

@@ -419,7 +419,7 @@ do_bind(
 			goto cleanup;
 
 		} else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED )
-			&& ( op->o_ssf <= 1 || op->o_ssf < global_ssf_set.sss_ssf ))
+			&& ( op->o_ssf <= 1 ))
 		{
 			rc = LDAP_CONFIDENTIALITY_REQUIRED;
 			text = "unwilling to perform simple authentication "

servers/slapd/config.c

@@ -1317,9 +1317,6 @@ read_config( const char *fname, int depth )
 				} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_BIND_SIMPLE;
 
-				} else if( strcasecmp( cargv[i], "bind_simple_unprotected" ) == 0 ) {
-					disallows |= SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED;
-
 				} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_BIND_KRBV4;
 
@@ -1480,6 +1477,12 @@ read_config( const char *fname, int depth )
 					set->sss_update_sasl =
 						atoi( &cargv[i][sizeof("update_sasl")] );
 
+				} else if( strncasecmp( cargv[i], "simple_bind=",
+					sizeof("simple_bind") ) == 0 )
+				{
+					set->sss_simple_bind =
+						atoi( &cargv[i][sizeof("simple_bind")] );
+
 				} else {
 #ifdef NEW_LOGGING
 					LDAP_LOG( CONFIG, CRIT, 

servers/slapd/slap.h

@@ -164,6 +164,7 @@ typedef struct slap_ssf_set {
 	slap_ssf_t sss_update_transport;
 	slap_ssf_t sss_update_tls;
 	slap_ssf_t sss_update_sasl;
+	slap_ssf_t sss_simple_bind;
 } slap_ssf_set_t;
 
 /*