>From b9ca6bf47c6f02134462562d61afa25c681e84a8 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Thu, 24 Sep 2009 12:02:29 -0700
Subject: [PATCH] Allow anonymous access to be disabled.
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.
---
ldap/admin/src/scripts/DSMigration.pm.in | 1 +
ldap/ldif/template-dse.ldif.in | 1 +
ldap/servers/slapd/bind.c | 20 +++++++++++++++-
ldap/servers/slapd/connection.c | 15 +++++++++++-
ldap/servers/slapd/libglobs.c | 37 ++++++++++++++++++++++++++++-
ldap/servers/slapd/proto-slap.h | 2 +
ldap/servers/slapd/slap.h | 2 +
selinux/dirsrv.te | 2 +-
8 files changed, 75 insertions(+), 5 deletions(-)
diff --git a/ldap/admin/src/scripts/DSMigration.pm.in b/ldap/admin/src/scripts/DSMigration.pm.in
index c0a7614..64e066b 100644
--- a/ldap/admin/src/scripts/DSMigration.pm.in
+++ b/ldap/admin/src/scripts/DSMigration.pm.in
@@ -101,6 +101,7 @@ my %ignoreOld =
'nsslapd-plugin-depends-on-named' => 'nsslapd-plugin-depends-on-named',
# these are new attrs that we should just pass through
'nsslapd-allow-unauthenticated-binds' => 'nsslapd-allow-unauthenticated-binds',
+ 'nsslapd-allow-anonymous-access' => 'nsslapd-allow-anonymous-access',
'nsslapd-saslpath' => 'nsslapd-saslpath',
'nsslapd-rundir' => 'nsslapd-rundir',
'nsslapd-schemadir' => 'nsslapd-schemadir',
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 1dfd9d5..a047538 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -31,6 +31,7 @@ nsslapd-return-exact-case: on
nsslapd-ssl-check-hostname: on
nsslapd-allow-unauthenticated-binds: off
nsslapd-require-secure-binds: off
+nsslapd-allow-anonymous-access: on
nsslapd-port: %ds_port%
nsslapd-localuser: %ds_user%
nsslapd-errorlog-logging-enabled: on
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 359252f..bf54d3c 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -424,10 +424,19 @@ do_bind( Slapi_PBlock *pb )
/* accept null binds */
if (dn == NULL || *dn == '\0') {
slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsAnonymousBinds);
- /* by definition its anonymous is also UnAuthenticated so increment
+ /* by definition anonymous is also unauthenticated so increment
that counter */
slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
+ /* Refuse the operation if anonymous access is disabled. */
+ if (!config_get_anon_access_switch()) {
+ send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+ "Anonymous access is not allowed", 0, NULL);
+ /* increment BindSecurityErrorcount */
+ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+ goto free_and_return;
+ }
+
/* call preop plugins */
if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){
if ( auth_response_requested ) {
@@ -444,6 +453,15 @@ do_bind( Slapi_PBlock *pb )
/* Increment unauthenticated bind counter */
slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
+ /* Refuse the operation if anonymous access is disabled. */
+ if (!config_get_anon_access_switch()) {
+ send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+ "Anonymous access is not allowed", 0, NULL);
+ /* increment BindSecurityErrorcount */
+ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+ goto free_and_return;
+ }
+
/* Refuse the operation if unauthenticated binds are disabled. */
if (!config_get_unauth_binds_switch()) {
/* As stated in RFC 4513, a server SHOULD by default fail
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index 8b1e2e5..4dd81f9 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -480,8 +480,21 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb)
/* Copy the Connection DN into the operation struct */
op_copy_identity( conn, op );
- /* process the operation */
+ /* If anonymous access is disabled and the connection is
+ * not authenticated, only allow the BIND operation. */
+ if (!config_get_anon_access_switch() && (op->o_tag != LDAP_REQ_BIND) &&
+ ((op->o_authtype == NULL) || (strcasecmp(op->o_authtype, SLAPD_AUTH_NONE) == 0))) {
+ slapi_log_access( LDAP_DEBUG_STATS,
+ "conn=%" NSPRIu64 " op=%d UNPROCESSED OPERATION\n",
+ conn->c_connid, op->o_opid );
+
+ send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+ "Anonymous access is not allowed.",
+ 0, NULL );
+ return;
+ }
+ /* process the operation */
switch ( op->o_tag ) {
case LDAP_REQ_BIND:
operation_set_type(op,SLAPI_OPERATION_BIND);
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 3d20353..5eb1afd 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -609,7 +609,11 @@ static struct config_get_and_set {
{CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE, config_set_require_secure_binds,
NULL, 0,
(void**)&global_slapdFrontendConfig.require_secure_binds, CONFIG_ON_OFF,
- (ConfigGetFunc)config_get_require_secure_binds}
+ (ConfigGetFunc)config_get_require_secure_binds},
+ {CONFIG_ANON_ACCESS_ATTRIBUTE, config_set_anon_access_switch,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.allow_anon_access, CONFIG_ON_OFF,
+ (ConfigGetFunc)config_get_anon_access_switch}
#ifdef MEMPOOL_EXPERIMENTAL
,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
NULL, 0,
@@ -861,6 +865,7 @@ FrontendConfig_init () {
#endif
cfg->allow_unauth_binds = LDAP_OFF;
cfg->require_secure_binds = LDAP_OFF;
+ cfg->allow_anon_access = LDAP_ON;
cfg->slapi_counters = LDAP_ON;
cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
@@ -4557,7 +4562,19 @@ config_get_require_secure_binds(void)
retVal = slapdFrontendConfig->require_secure_binds;
CFG_UNLOCK_READ(slapdFrontendConfig);
-return retVal;
+ return retVal;
+}
+
+int
+config_get_anon_access_switch(void)
+{
+ int retVal;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapdFrontendConfig->allow_anon_access;
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
}
int
@@ -5336,6 +5353,22 @@ config_set_require_secure_binds( const char *attrname, char *value,
return retVal;
}
+int
+config_set_anon_access_switch( const char *attrname, char *value,
+ char *errorbuf, int apply )
+{
+ int retVal = LDAP_SUCCESS;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ retVal = config_set_onoff(attrname,
+ value,
+ &(slapdFrontendConfig->allow_anon_access),
+ errorbuf,
+ apply);
+
+ return retVal;
+}
+
/*
* This function is intended to be used from the dse code modify callback. It
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 4b1bbdf..c408f69 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -344,6 +344,7 @@ int config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
char *errorbuf, int apply );
int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply );
int config_set_require_secure_binds(const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_anon_access_switch(const char *attrname, char *value, char *errorbuf, int apply );
int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
@@ -473,6 +474,7 @@ int config_get_rewrite_rfc1274();
int config_get_outbound_ldap_io_timeout(void);
int config_get_unauth_binds_switch(void);
int config_get_require_secure_binds(void);
+int config_get_anon_access_switch(void);
int config_get_csnlogging();
#ifdef MEMPOOL_EXPERIMENTAL
int config_get_mempool_switch();
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index ceb46b2..ba65781 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1722,6 +1722,7 @@ typedef struct _slapdEntryPoints {
#define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
#define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
#define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
+#define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access"
#ifndef _WIN32
#define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
#endif /* !_WIN32 */
@@ -2016,6 +2017,7 @@ typedef struct _slapdFrontendConfig {
int slapi_counters; /* switch to turn slapi_counters on/off */
int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */
int require_secure_binds; /* switch to require simple binds to use a secure channel */
+ int allow_anon_access; /* switch to enable/disable anonymous access */
size_t maxsasliosize; /* limit incoming SASL IO packet size */
#ifndef _WIN32
struct passwd *localuserinfo; /* userinfo of localuser */
diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te
index b40459b..6dcabe1 100644
--- a/selinux/dirsrv.te
+++ b/selinux/dirsrv.te
@@ -86,7 +86,7 @@ allow dirsrv_t self:fifo_file { read write };
# process stuff
allow dirsrv_t self:process { getsched setsched signal_perms};
-allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override };
+allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override fowner };
# semaphores
allow dirsrv_t self:sem all_sem_perms;
--
1.6.2.5
--
389-devel mailing list
389-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
