From 9715e7f008ed51912265486048b0183591e69c18 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Mon, 28 Aug 2000 18:58:13 +0000
Subject: [PATCH] Add disallow and requires to man page.  Fix sasl ssf handling
 bug.

---
 doc/man/man5/slapd.conf.5 | 34 ++++++++++++++++++++++++++++++++++
 servers/slapd/backend.c   |  2 +-
 servers/slapd/bind.c      |  4 ++++
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index a78833769f..cef9f2c2d2 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -125,6 +125,18 @@ recommended that
 directives be used instead.
 .RE
 .TP
+.B disallow <features>
+Specify a set of features (separated by white space) to disallow.
+.B bind_v2
+disables acceptance of LDAPv2 bind requests.
+.B bind_anon
+disables acceptance of anonymous bind requests.
+.B bind_anon_cred
+disables anonymous bind creditials are not empty (e.g. when
+DN is empty).
+.B bind_anon_dn
+disables anonymous bind when DN is not empty.
+.TP
 .B idletimeout <integer>
 Specify the number of seconds to wait before forcibly closing
 an idle client connections.  A idletimeout of 0 disables this
@@ -229,6 +241,28 @@ Specify the referral to pass back when
 cannot find a local database to handle a request.
 If specified multiple times, each url is provided.
 .TP
+.B require <conditions>
+Specify a set of conditions (separated by white space) to require.
+The directive may be specified globally and/or per-database.
+.B bind
+requires bind operation prior to directory operations.
+.B LDAPv3
+requires session to be using LDAP version 3.
+.B authc
+requires authentication prior to directory operations.
+.B SASL
+requires SASL authentication prior to directory operations.
+.B strong
+requires strong authentication prior to directory operations.
+Currently
+.B SASL
+and
+.B strong
+conditions are currently same.
+.B none
+may be used to require no conditions (useful for clearly globally
+set conditions within a particular database).
+.TP
 .B sasl-realm <string>
 Used to specify Cyrus SASL realm.
 .TP
diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index ca38d9f330..3cc017ca2f 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -733,7 +733,7 @@ backend_check_restrictions(
 			if( op->o_authmech == NULL ||
 				op->o_dn == NULL || *op->o_dn == '\0' )
 			{
-				*text = "SASL authentication required";
+				*text = "strong authentication required";
 				return LDAP_STRONG_AUTH_REQUIRED;
 			}
 		}
diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index 446104f6ed..1e2fdbc36b 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -251,6 +251,10 @@ do_bind(
 			conn->c_dn = edn;
 			conn->c_authmech = mech;
 			if( ssf ) conn->c_sasl_layers++;
+			conn->c_sasl_ssf = ssf;
+			if( ssf > conn->c_ssf ) {
+				conn->c_ssf = ssf;
+			}
 			ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
 		} else if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) {
-- 
GitLab