[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf, access control, and back-shell



It looks to me like the statement

      disallow bind_simple_unprotected

is not followed when using a back-shell script for binding?

What I ended up doing is modifying <source>/servers/slapd/back-shell/bind.c
such that the following lines appear right before the "/* write out the
request to the bind process */" section:

        if ( op->o_ssf < 128 ) {
                send_ldap_result( conn, op, LDAP_CONFIDENTIALITY_REQUIRED,
NULL, "unwilling to perform simple authentication without confidentiality
protection", NULL, NULL );
                return( -1 );
        }

-steve



On 10/7/02 3:51 PM, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

> At 10:45 PM 2002-10-04, Steven Hodges wrote:
>> I spoke too soon about back-shell ignoring ACLs.  It does
>> not ignore them, at least for searching.
> 
> The current back-shell only has what ACLs the front-end
> provides (which is only search "read" ACLs).  HEAD
> has some basic "entry-level" ACL support in back-shell.
> Basically, if you are doing anything more than search
> with back-shell (and other programmable backends), you
> likely will want to hack the backend to do more than it
> does on its own.
> 
>> But I am still trying to find a way to restrict binding to secure
>> connection.
> 
> See the "disallow" and "security" directives in slapd.conf(5).
> The latest Admin Guide discusses these in the "Security
> Considerations" section.
> 
>> If I were using a normal ldbm backend, where there
>> actually existed a userpassword field, I would apply an ACL that
>> specifies a ssf of 128.  But in the case of using back-shell to
>> handle binding, I am not sure.
>> 
>> Is it even possible to write an ACL to do this?  That is, would back-shell
>> pay any attention to ACLs in the case of binding?
>> 
>> If not, I suppose I could always modify the bind.c file under
>> servers/slapd/back-shell, but I would prefer not to...
>> 
>> -steve
>> 
>> 
>> On Thu, Oct 03, 2002 at 07:54:00PM -0400, Steven Hodges wrote:
>>> Hello...
>>> 
>>> I see that back-shell ignores almost all access control directives.
>>> 
>>> But what I would like to do is restrict my back-shell bind script
>>> such that all bind operations have to take place with ssf of 128...
>>> Normally I would do this with ssf=128 in the ACL, but I am not sure
>>> how to do it in this case.  I could just manually check it in my
>>> back-shell bind script, but I don't think it's even aware of the
>>> ssf...
>>> 
>>> Any ideas would be appreciated.
>>> 
>>> -steve hodges
>>> Georgia Tech
> 
>