Add require secure binds switch.

This adds a new configuration attribute named
nsslapd-require-secure-binds.  When enabled, a simple bind
will only be allowed over a secure transport (SSL/TLS or a
SASL privacy layer).  An attempt to do a simple bind over
an insecure transport will return a LDAP result of
LDAP_CONFIDENTIALITY_REQUIRED.  This new setting will not
affect anonymous or unauthenticated binds.

The default setting is to have this option disabled.

ldap/ldif/template-dse.ldif.in

@@ -30,6 +30,7 @@ nsslapd-rewrite-rfc1274: off
 nsslapd-return-exact-case: on
 nsslapd-ssl-check-hostname: on
 nsslapd-allow-unauthenticated-binds: off
+nsslapd-require-secure-binds: off
 nsslapd-port: %ds_port%
 nsslapd-localuser: %ds_user%
 nsslapd-errorlog-logging-enabled: on

ldap/servers/slapd/bind.c

@@ -439,6 +439,7 @@ do_bind( Slapi_PBlock *pb )
                 plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
             }
             goto free_and_return;
+        /* Check if unauthenticated binds are allowed. */
         } else if ( cred.bv_len == 0 ) {
             /* Increment unauthenticated bind counter */
             slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
@@ -454,6 +455,29 @@ do_bind( Slapi_PBlock *pb )
                 slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
                 goto free_and_return;
             }
+        /* Check if simple binds are allowed over an insecure channel.  We only check
+	 * this for authenticated binds. */
+        } else if (config_get_require_secure_binds() == 1) {
+                Connection *conn = NULL;
+                int sasl_ssf = 0;
+
+                /* Allow simple binds only for SSL/TLS established connections
+                 * or connections using SASL privacy layers */
+                conn = pb->pb_conn;
+                if ( slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
+                    slapi_log_error( SLAPI_LOG_PLUGIN, "do_bind",
+                                     "Could not get SASL SSF from connection\n" );
+                    sasl_ssf = 0;
+                }
+
+                if (((conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) &&
+                    (sasl_ssf <= 1) ) {
+                        send_ldap_result(pb, LDAP_CONFIDENTIALITY_REQUIRED, NULL,
+                                         "Operation requires a secure connection",
+                                         0, NULL);
+                        slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+                        goto free_and_return;
+                }
         }
         break;
     default:

ldap/servers/slapd/libglobs.c

@@ -606,7 +606,11 @@ static struct config_get_and_set {
 	{CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.allow_unauth_binds, CONFIG_ON_OFF,
-		(ConfigGetFunc)config_get_unauth_binds_switch}
+		(ConfigGetFunc)config_get_unauth_binds_switch},
+	{CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE, config_set_require_secure_binds,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.require_secure_binds, CONFIG_ON_OFF,
+		(ConfigGetFunc)config_get_require_secure_binds}
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -857,6 +861,7 @@ FrontendConfig_init () {
   cfg->ldapi_auto_dn_suffix = slapi_ch_strdup("cn=peercred,cn=external,cn=auth");
 #endif
   cfg->allow_unauth_binds = LDAP_OFF;
+  cfg->require_secure_binds = LDAP_OFF;
   cfg->slapi_counters = LDAP_ON;
   cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
   cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
@@ -4544,6 +4549,19 @@ config_get_unauth_binds_switch(void)
 }
 
 
+int
+config_get_require_secure_binds(void)
+{
+	int retVal;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+	CFG_LOCK_READ(slapdFrontendConfig);
+	retVal = slapdFrontendConfig->require_secure_binds;
+	CFG_UNLOCK_READ(slapdFrontendConfig);
+
+return retVal;
+}
+
+
 int 
 config_is_slapd_lite ()
 {
@@ -5310,6 +5328,22 @@ config_set_unauth_binds_switch( const char *attrname, char *value,
 	return retVal;
 }
 
+int
+config_set_require_secure_binds( const char *attrname, char *value,
+                char *errorbuf, int apply )
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->require_secure_binds),
+		errorbuf,
+		apply);
+
+	return retVal;
+}
+
 
 /*
  * This function is intended to be used from the dse code modify callback.  It

ldap/servers/slapd/proto-slap.h

@@ -343,6 +343,7 @@ int config_set_rewrite_rfc1274( const char *attrname, char *value, char *errorbu
 int config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
 		char *errorbuf, int apply );
 int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_require_secure_binds(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
 
@@ -471,6 +472,7 @@ int config_get_hash_filters();
 int config_get_rewrite_rfc1274();
 int config_get_outbound_ldap_io_timeout(void);
 int config_get_unauth_binds_switch(void);
+int config_get_require_secure_binds(void);
 int config_get_csnlogging();
 #ifdef MEMPOOL_EXPERIMENTAL
 int config_get_mempool_switch();

ldap/servers/slapd/slap.h

@@ -1715,6 +1715,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_USERAT_ATTRIBUTE "nsslapd-userat"
 #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
 #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
+#define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
 #ifndef _WIN32
 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
 #endif /* !_WIN32 */
@@ -2008,6 +2009,7 @@ typedef struct _slapdFrontendConfig {
   char *ldapi_auto_dn_suffix;   /* suffix to be appended to auto gen DNs */
   int slapi_counters;           /* switch to turn slapi_counters on/off */
   int allow_unauth_binds;       /* switch to enable/disable unauthenticated binds */
+  int require_secure_binds;	/* switch to require simple binds to use a secure channel */
   size_t maxsasliosize;         /* limit incoming SASL IO packet size */
 #ifndef _WIN32
   struct passwd *localuserinfo; /* userinfo of localuser */