Add localSSF slapd.conf(5) directive to set SSF associated

with ldapi:// sessions.
2025-12-27 18:19:52 -05:00 · 2004-09-10 22:35:24 +00:00 · 2004-09-10 22:35:24 +00:00 · 3869e3b84d
commit 3869e3b84d
parent 0fa3715e04
4 changed files with 33 additions and 2 deletions
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@ -512,6 +512,14 @@ continuing with the next line of the current file.
 .\"only go to stderr and are not recorded anywhere else. Specifying a logfile
 .\"copies messages to both stderr and the logfile.
 .TP
+.B localSSF <SSF>
+Specifies the Security Strength Factor (SSF) to be given local LDAP sessions,
+such as those to the ldapi:// listener.  For a description of SSF values,
+see 
+.BR sasl-secprops 's
+.B minssf
+property description.
+.TP
 .B loglevel <integer> [...]
 Specify the level at which debugging statements and operation 
 statistics should be syslogged (currently logged to the
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@ -191,6 +191,28 @@ read_config( const char *fname, int depth )
 				return( 1 );
 			}

+		/* set local security factor */
+		} else if ( strcasecmp( cargv[0], "localSSF" ) == 0 ) {
+			long ssf;
+			if ( cargc < 2 ) {
+				Debug( LDAP_DEBUG_ANY,
+				   "%s: line %d: missing ssf in \"localSSF <ssf>\" line\n",
+				    fname, lineno, 0 );
+				return( 1 );
+			}
+
+			ssf = atol( cargv[1] );
+
+			if( ssf < 0 ) {
+				Debug( LDAP_DEBUG_ANY,
+					"%s: line %d: invalid ssf value (%ld) in "
+					"\"localSSF <ssf>\" line.\n",
+				    fname, lineno, ssf );
+				return( 1 );
+			}
+
+			local_ssf = ssf;
+
 		/* set thread concurrency */
 		} else if ( strcasecmp( cargv[0], "concurrency" ) == 0 ) {
 			int c;
@ -1134,7 +1156,6 @@ restrict_unknown:;
 				be->be_requires = requires;
 			}

-		/* required security factors */
 		} else if ( strcasecmp( cargv[0], "security" ) == 0 ) {
 			slap_ssf_set_t *set;

--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@ -66,6 +66,7 @@ int slap_inet4or6 = AF_INET;
 /* globals */
 time_t starttime;
 ber_socket_t dtblsize;
+slap_ssf_t local_ssf = LDAP_PVT_SASL_LOCAL_SSF;

 Listener **slap_listeners = NULL;

@ -1467,7 +1468,7 @@ slapd_daemon_task(
 				}

 				sprintf( peername, "PATH=%s", from.sa_un_addr.sun_path );
-				ssf = LDAP_PVT_SASL_LOCAL_SSF;
+				ssf = local_ssf;
 				{
 					uid_t uid;
 					gid_t gid;
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -468,6 +468,7 @@ LDAP_SLAPD_F (void) slapd_clr_read LDAP_P((ber_socket_t s, int wake));
 LDAP_SLAPD_V (volatile sig_atomic_t) slapd_abrupt_shutdown;
 LDAP_SLAPD_V (volatile sig_atomic_t) slapd_shutdown;
 LDAP_SLAPD_V (int) slapd_register_slp;
+LDAP_SLAPD_V (slap_ssf_t) local_ssf;

 /*
 * dn.c