Add option to disallow unprotected simple authentication.

Add protected simple authentication as a "strong" mechanism.

doc/man/man5/slapd.conf.5

@@ -195,6 +195,9 @@ disallow (default none).
 disables acceptance of anonymous bind requests.
 .B bind_simple
 disables simple (bind) authentication.
+.B bind_simple_unprotected
+disables simple (bind) authentication when confidentiality
+protections (e.g. TLS) are not in place.
 .B bind_krbv4
 disables Kerberos V4 (bind) authentication.
 .B tls_2_anon
@@ -506,11 +509,8 @@ requires authentication prior to directory operations.
 requires SASL authentication prior to directory operations.
 .B strong
 requires strong authentication prior to directory operations.
-The
+The strong keyword allows protected "simple" authentication
-.B SASL
+as well as SASL authentication.
-and
-.B strong
-conditions are currently same.
 .B none
 may be used to require no conditions (useful for clearly globally
 set conditions within a particular database).

servers/slapd/backend.c

@@ -924,7 +924,8 @@ backend_check_restrictions(
 
 		if( requires & SLAP_REQUIRE_STRONG ) {
 			/* should check mechanism */
-			if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 )
+			if( ( op->o_transport_ssf < ssf->sss_transport
+				&& op->o_authmech.bv_len == 0 ) || op->o_dn.bv_len == 0 )
 			{
 				*text = "strong authentication required";
 				return LDAP_STRONG_AUTH_REQUIRED;
@@ -932,8 +933,7 @@ backend_check_restrictions(
 		}
 
 		if( requires & SLAP_REQUIRE_SASL ) {
-			if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 )
+			if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) {
-			{
 				*text = "SASL authentication required";
 				return LDAP_STRONG_AUTH_REQUIRED;
 			}

servers/slapd/bind.c

@@ -402,6 +402,27 @@ do_bind(
 			Debug( LDAP_DEBUG_TRACE,
 				"do_bind: v%d simple bind(%s) disallowed\n",
 				version, ndn.bv_val, 0 );
+#endif
+			goto cleanup;
+
+		} else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED )
+			&& ( op->o_transport_ssf < global_ssf_set.sss_transport ))
+		{
+			rc = LDAP_CONFIDENTIALITY_REQUIRED;
+			text = "unwilling to perform simple authentication "
+				"without confidentilty protection";
+
+			send_ldap_result( conn, op, rc,
+				NULL, text, NULL, NULL );
+
+#ifdef NEW_LOGGING
+			LDAP_LOG(( "operation", LDAP_LEVEL_INFO, "do_bind: conn %d  "
+				"v%d unprotected simple bind(%s) disallowed\n",
+				conn->c_connid, version, ndn.bv_val ));
+#else
+			Debug( LDAP_DEBUG_TRACE,
+				"do_bind: v%d unprotected simple bind(%s) disallowed\n",
+				version, ndn.bv_val, 0 );
 #endif
 			goto cleanup;
 		}

servers/slapd/config.c

@@ -1289,6 +1289,9 @@ read_config( const char *fname )
 				} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_BIND_SIMPLE;
 
+				} else if( strcasecmp( cargv[i], "bind_simple_unprotected" ) == 0 ) {
+					disallows |= SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED;
+
 				} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_BIND_KRBV4;
 

servers/slapd/slap.h

@@ -1175,7 +1175,9 @@ struct slap_backend_db {
 
 #define SLAP_DISALLOW_BIND_ANON		0x0001U /* no anonymous */
 #define SLAP_DISALLOW_BIND_SIMPLE	0x0002U	/* simple authentication */
-#define SLAP_DISALLOW_BIND_KRBV4	0x0004U /* Kerberos V4 authentication */
+#define SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED \
+									0x0004U	/* unprotected simple auth */
+#define SLAP_DISALLOW_BIND_KRBV4	0x0008U /* Kerberos V4 authentication */
 
 #define SLAP_DISALLOW_TLS_2_ANON	0x0010U /* StartTLS -> Anonymous */
 #define SLAP_DISALLOW_TLS_AUTHC		0x0020U	/* TLS while authenticated */