[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf, access control, and back-shell

To: Steve Hodges <steve.hodges@oit.gatech.edu>
Subject: Re: ssf, access control, and back-shell
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 07 Oct 2002 16:41:48 -0700
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <B9C78426.1262%steve.hodges@oit.gatech.edu>
References: <5.1.0.14.0.20021007123547.035dde68@127.0.0.1>

At 03:34 PM 2002-10-07, Steve Hodges wrote:
>It looks to me like the statement
>
>      disallow bind_simple_unprotected
>
>is not followed when using a back-shell script for binding?

In 2.1.5, you need to set the overall ssf for bind_simple_unprotected
to be effective.  That is,
        security ssf=112
        disallow bind_simple_unprotected

In HEAD, if ssf is set to none or integrity only, then
any confidentiality protection is sufficient to protect
simple bind.

HEAD's back-shell also supports "entry" level ACLs now.

>What I ended up doing is modifying <source>/servers/slapd/back-shell/bind.c
>such that the following lines appear right before the "/* write out the
>request to the bind process */" section:
>
>        if ( op->o_ssf < 128 ) {
>                send_ldap_result( conn, op, LDAP_CONFIDENTIALITY_REQUIRED,
>NULL, "unwilling to perform simple authentication without confidentiality
>protection", NULL, NULL );
>                return( -1 );
>        }
>
>-steve
>
>
>
>On 10/7/02 3:51 PM, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
>
>> At 10:45 PM 2002-10-04, Steven Hodges wrote:
>>> I spoke too soon about back-shell ignoring ACLs.  It does
>>> not ignore them, at least for searching.
>> 
>> The current back-shell only has what ACLs the front-end
>> provides (which is only search "read" ACLs).  HEAD
>> has some basic "entry-level" ACL support in back-shell.
>> Basically, if you are doing anything more than search
>> with back-shell (and other programmable backends), you
>> likely will want to hack the backend to do more than it
>> does on its own.
>> 
>>> But I am still trying to find a way to restrict binding to secure
>>> connection.
>> 
>> See the "disallow" and "security" directives in slapd.conf(5).
>> The latest Admin Guide discusses these in the "Security
>> Considerations" section.
>> 
>>> If I were using a normal ldbm backend, where there
>>> actually existed a userpassword field, I would apply an ACL that
>>> specifies a ssf of 128.  But in the case of using back-shell to
>>> handle binding, I am not sure.
>>> 
>>> Is it even possible to write an ACL to do this?  That is, would back-shell
>>> pay any attention to ACLs in the case of binding?
>>> 
>>> If not, I suppose I could always modify the bind.c file under
>>> servers/slapd/back-shell, but I would prefer not to...
>>> 
>>> -steve
>>> 
>>> 
>>> On Thu, Oct 03, 2002 at 07:54:00PM -0400, Steven Hodges wrote:
>>>> Hello...
>>>> 
>>>> I see that back-shell ignores almost all access control directives.
>>>> 
>>>> But what I would like to do is restrict my back-shell bind script
>>>> such that all bind operations have to take place with ssf of 128...
>>>> Normally I would do this with ssf=128 in the ACL, but I am not sure
>>>> how to do it in this case.  I could just manually check it in my
>>>> back-shell bind script, but I don't think it's even aware of the
>>>> ssf...
>>>> 
>>>> Any ideas would be appreciated.
>>>> 
>>>> -steve hodges
>>>> Georgia Tech
>> 
>>

Follow-Ups:
- Re: ssf, access control, and back-shell
  - From: Steve Hodges <steve.hodges@oit.gatech.edu>

References:
- Re: ssf, access control, and back-shell
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: ssf, access control, and back-shell
  - From: Steve Hodges <steve.hodges@oit.gatech.edu>

Prev by Date: Re: ssf, access control, and back-shell
Next by Date: RE: Occassional index corrupts
Index(es):
- Chronological
- Thread