if "disallow bind_simple_unprotected", require at least SSF of 2

2026-01-26 16:52:55 -05:00 · 2002-10-08 01:06:49 +00:00 · 2002-10-08 01:06:49 +00:00 · 36fca96695
commit 36fca96695
parent 90e320398a
2 changed files with 7 additions and 6 deletions
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@ -179,13 +179,14 @@ disables acceptance of anonymous bind requests.
 .B bind_simple
 disables simple (bind) authentication.
 .B bind_simple_unprotected
-disables simple (bind) authentication when integrity and/or confidentiality
-protections (e.g. TLS) are not in place.  The level of protection required
-is determined by the
+disables simple (bind) authentication when confidentiality
+protection (e.g. TLS) is not in place.  The level of confidential
+protection to require can be adjusted using the
 .I overall security strength factor
-(as set by the
+using the
 .B security
-directive).
+directive.  If this factor is not set (or set to integrity only),
+any confidentiality protection is sufficient.
 .B bind_krbv4
 disables Kerberos V4 (bind) authentication.
 .B tls_2_anon
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@ -419,7 +419,7 @@ do_bind(
 			goto cleanup;

 		} else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED )
-			&& ( op->o_ssf < global_ssf_set.sss_ssf ))
+			&& ( op->o_ssf <= 1 || op->o_ssf < global_ssf_set.sss_ssf ))
 		{
 			rc = LDAP_CONFIDENTIALITY_REQUIRED;
 			text = "unwilling to perform simple authentication "