Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8277/ldap/servers/slapd
Modified Files:
bind.c libglobs.c proto-slap.h slap.h
Log Message:
Resolves: 316241
Summary: Add config setting to disable unauthenticated binds.
Index: bind.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/bind.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- bind.c 24 Oct 2008 22:36:58 -0000 1.17
+++ bind.c 7 Nov 2008 22:32:57 -0000 1.18
@@ -259,9 +259,6 @@
PR_Lock( pb->pb_conn->c_mutex );
- /* According to RFC2251,
- * "if the bind fails, the connection will be treated as anonymous".
- */
bind_credentials_clear( pb->pb_conn, PR_FALSE, /* do not lock conn */
PR_FALSE /* do not clear external creds. */ );
@@ -442,6 +439,21 @@
plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
}
goto free_and_return;
+ } else if ( cred.bv_len == 0 ) {
+ /* Increment unauthenticated bind counter */
+ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
+
+ /* Refuse the operation if unauthenticated binds are disabled. */
+ if (!config_get_unauth_binds_switch()) {
+ /* As stated in RFC 4513, a server SHOULD by default fail
+ * Unauthenticated Bind requests with a resultCode of
+ * unwillingToPerform. */
+ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+ "Unauthenticated binds are not allowed", 0,
NULL);
+ /* increment BindSecurityErrorcount */
+
slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+ goto free_and_return;
+ }
}
break;
default:
@@ -453,26 +465,22 @@
*/
if ( isroot && method == LDAP_AUTH_SIMPLE ) {
- if ( cred.bv_len == 0 ) {
- /* unauthenticated bind */
- slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
-
- } else {
+ if (cred.bv_len != 0) {
/* a passwd was supplied -- check it */
Slapi_Value cv;
slapi_value_init_berval(&cv,&cred);
+ /* right dn and passwd - authorize */
if ( is_root_dn_pw( slapi_sdn_get_ndn(&sdn), &cv )) {
- /* right dn and passwd - authorize */
bind_credentials_set( pb->pb_conn, SLAPD_AUTH_SIMPLE,
slapi_ch_strdup( slapi_sdn_get_ndn(&sdn) ),
NULL, NULL, NULL , NULL);
- /* right dn, wrong passwd - reject with invalid creds */
+ /* right dn, wrong passwd - reject with invalid creds */
} else {
send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL,
NULL, 0, NULL );
- /* increment BindSecurityErrorcount */
+ /* increment BindSecurityErrorcount */
slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
value_done(&cv);
goto free_and_return;
Index: libglobs.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- libglobs.c 24 Oct 2008 22:36:58 -0000 1.28
+++ libglobs.c 7 Nov 2008 22:32:57 -0000 1.29
@@ -491,7 +491,7 @@
{CONFIG_SLAPI_COUNTER_ATTRIBUTE, config_set_slapi_counters,
NULL, 0,
(void**)&global_slapdFrontendConfig.slapi_counters, CONFIG_ON_OFF,
- config_get_slapi_counters},
+ (ConfigGetFunc)config_get_slapi_counters},
{CONFIG_ACCESSLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,
log_set_mindiskspace, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_minfreespace, CONFIG_INT, NULL},
@@ -590,7 +590,11 @@
config_set_outbound_ldap_io_timeout,
NULL, 0,
(void **)&global_slapdFrontendConfig.outbound_ldap_io_timeout,
- CONFIG_INT, NULL}
+ CONFIG_INT, NULL},
+ {CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.allow_unauth_binds, CONFIG_ON_OFF,
+ (ConfigGetFunc)config_get_unauth_binds_switch}
#ifdef MEMPOOL_EXPERIMENTAL
,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
NULL, 0,
@@ -840,6 +844,7 @@
#if defined(ENABLE_AUTO_DN_SUFFIX)
cfg->ldapi_auto_dn_suffix =
slapi_ch_strdup("cn=peercred,cn=external,cn=auth");
#endif
+ cfg->allow_unauth_binds = LDAP_OFF;
cfg->slapi_counters = LDAP_ON;
cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
@@ -4427,6 +4432,20 @@
return retVal;
}
+
+int
+config_get_unauth_binds_switch(void)
+{
+ int retVal;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapdFrontendConfig->allow_unauth_binds;
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
+}
+
+
int
config_is_slapd_lite ()
{
@@ -5124,6 +5143,23 @@
}
+int
+config_set_unauth_binds_switch( const char *attrname, char *value,
+ char *errorbuf, int apply )
+{
+ int retVal = LDAP_SUCCESS;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ retVal = config_set_onoff(attrname,
+ value,
+ &(slapdFrontendConfig->allow_unauth_binds),
+ errorbuf,
+ apply);
+
+ return retVal;
+}
+
+
/*
* This function is intended to be used from the dse code modify callback. It
* is "optimized" for that case because it takes a berval** of values, which
is
Index: proto-slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -r1.41 -r1.42
--- proto-slap.h 4 Nov 2008 18:23:08 -0000 1.41
+++ proto-slap.h 7 Nov 2008 22:32:57 -0000 1.42
@@ -338,6 +338,7 @@
int config_set_rewrite_rfc1274( const char *attrname, char *value, char *errorbuf, int
apply );
int config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
char *errorbuf, int apply );
+int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int
apply );
int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int
apply);
int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
@@ -461,6 +462,7 @@
int config_get_hash_filters();
int config_get_rewrite_rfc1274();
int config_get_outbound_ldap_io_timeout(void);
+int config_get_unauth_binds_switch(void);
int config_get_csnlogging();
#ifdef MEMPOOL_EXPERIMENTAL
int config_get_mempool_switch();
Index: slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- slap.h 24 Oct 2008 22:36:58 -0000 1.38
+++ slap.h 7 Nov 2008 22:32:57 -0000 1.39
@@ -1693,6 +1693,7 @@
#define CONFIG_USEROC_ATTRIBUTE "nsslapd-useroc"
#define CONFIG_USERAT_ATTRIBUTE "nsslapd-userat"
#define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
+#define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
#ifndef _WIN32
#define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
#endif /* !_WIN32 */
@@ -1981,6 +1982,7 @@
char *ldapi_search_base_dn; /* base dn to search for mapped entries */
char *ldapi_auto_dn_suffix; /* suffix to be appended to auto gen DNs */
int slapi_counters; /* switch to turn slapi_counters on/off */
+ int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */
#ifndef _WIN32
struct passwd *localuserinfo; /* userinfo of localuser */
#endif /* _WIN32 */