[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf, access control, and back-shell

To: "'openldap-software@OpenLDAP.org'" <openldap-software@OpenLDAP.org>
Subject: Re: ssf, access control, and back-shell
From: Steve Hodges <steve.hodges@oit.gatech.edu>
Date: Tue, 08 Oct 2002 10:05:12 -0400
In-reply-to: <5.1.0.14.0.20021007163627.0298d070@127.0.0.1>
User-agent: Microsoft-Entourage/10.1.0.2006

Thanks for the suggestion.

When you do this, though, it seems to mean that *all* binds, even anonymous
ones, must be protected by security.  What I really want is for unprotected
simple _anonymous_ binds to be OK, but any unprotected simple
_non-anonymous_ binds to be disallowed.

I will take a look at HEAD's back-shell.

-steve

On 10/7/02 7:41 PM, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

> In 2.1.5, you need to set the overall ssf for bind_simple_unprotected
> to be effective.  That is,
>       security ssf=112
>       disallow bind_simple_unprotected
> 
> In HEAD, if ssf is set to none or integrity only, then
> any confidentiality protection is sufficient to protect
> simple bind.
> 
> HEAD's back-shell also supports "entry" level ACLs now.
> 
>> What I ended up doing is modifying <source>/servers/slapd/back-shell/bind.c
>> such that the following lines appear right before the "/* write out the
>> request to the bind process */" section:
>> 
>>        if ( op->o_ssf < 128 ) {
>>                send_ldap_result( conn, op, LDAP_CONFIDENTIALITY_REQUIRED,
>> NULL, "unwilling to perform simple authentication without confidentiality
>> protection", NULL, NULL );
>>                return( -1 );
>>        }
>> 
>> -steve
>> 
>> 
>> 
>> On 10/7/02 3:51 PM, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
>> 
>>> At 10:45 PM 2002-10-04, Steven Hodges wrote:
>>>> I spoke too soon about back-shell ignoring ACLs.  It does
>>>> not ignore them, at least for searching.
>>> 
>>> The current back-shell only has what ACLs the front-end
>>> provides (which is only search "read" ACLs).  HEAD
>>> has some basic "entry-level" ACL support in back-shell.
>>> Basically, if you are doing anything more than search
>>> with back-shell (and other programmable backends), you
>>> likely will want to hack the backend to do more than it
>>> does on its own.
>>> 
>>>> But I am still trying to find a way to restrict binding to secure
>>>> connection.
>>> 
>>> See the "disallow" and "security" directives in slapd.conf(5).
>>> The latest Admin Guide discusses these in the "Security
>>> Considerations" section.
>>> 
>>>> If I were using a normal ldbm backend, where there
>>>> actually existed a userpassword field, I would apply an ACL that
>>>> specifies a ssf of 128.  But in the case of using back-shell to
>>>> handle binding, I am not sure.
>>>> 
>>>> Is it even possible to write an ACL to do this?  That is, would back-shell
>>>> pay any attention to ACLs in the case of binding?
>>>> 
>>>> If not, I suppose I could always modify the bind.c file under
>>>> servers/slapd/back-shell, but I would prefer not to...
>>>> 
>>>> -steve
>>>> 
>>>> 
>>>> On Thu, Oct 03, 2002 at 07:54:00PM -0400, Steven Hodges wrote:
>>>>> Hello...
>>>>> 
>>>>> I see that back-shell ignores almost all access control directives.
>>>>> 
>>>>> But what I would like to do is restrict my back-shell bind script
>>>>> such that all bind operations have to take place with ssf of 128...
>>>>> Normally I would do this with ssf=128 in the ACL, but I am not sure
>>>>> how to do it in this case.  I could just manually check it in my
>>>>> back-shell bind script, but I don't think it's even aware of the
>>>>> ssf...
>>>>> 
>>>>> Any ideas would be appreciated.
>>>>> 
>>>>> -steve hodges
>>>>> Georgia Tech
>>> 
>>> 
> 
>

References:
- Re: ssf, access control, and back-shell
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Aliases in OL 2.1.5 with BDB.
Next by Date: RE: Aliases in OL 2.1.5 with BDB.
Index(es):
- Chronological
- Thread