Allow anonymous access to be disabled.

This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access.  When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user.  The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.

I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.

ldap/admin/src/scripts/DSMigration.pm.in

@@ -101,6 +101,7 @@ my %ignoreOld =
  'nsslapd-plugin-depends-on-named' => 'nsslapd-plugin-depends-on-named',
 # these are new attrs that we should just pass through
  'nsslapd-allow-unauthenticated-binds' => 'nsslapd-allow-unauthenticated-binds',
+ 'nsslapd-allow-anonymous-access'  => 'nsslapd-allow-anonymous-access',
  'nsslapd-saslpath'                => 'nsslapd-saslpath',
  'nsslapd-rundir'                  => 'nsslapd-rundir',
  'nsslapd-schemadir'               => 'nsslapd-schemadir',

ldap/ldif/template-dse.ldif.in

@@ -31,6 +31,7 @@ nsslapd-return-exact-case: on
 nsslapd-ssl-check-hostname: on
 nsslapd-allow-unauthenticated-binds: off
 nsslapd-require-secure-binds: off
+nsslapd-allow-anonymous-access: on
 nsslapd-port: %ds_port%
 nsslapd-localuser: %ds_user%
 nsslapd-errorlog-logging-enabled: on

ldap/servers/slapd/bind.c

@@ -424,10 +424,19 @@ do_bind( Slapi_PBlock *pb )
         /* accept null binds */
         if (dn == NULL || *dn == '\0') {
             slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsAnonymousBinds);
-            /* by definition its anonymous is also UnAuthenticated so increment 
+            /* by definition anonymous is also unauthenticated so increment 
                that counter */
             slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
 
+            /* Refuse the operation if anonymous access is disabled. */
+            if (!config_get_anon_access_switch()) {
+                send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+                                 "Anonymous access is not allowed", 0, NULL);
+                /* increment BindSecurityErrorcount */
+                slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+                goto free_and_return;
+            }
+
             /* call preop plugins */
             if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) == 0){
                 if ( auth_response_requested ) {
@@ -444,6 +453,15 @@ do_bind( Slapi_PBlock *pb )
             /* Increment unauthenticated bind counter */
             slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
 
+            /* Refuse the operation if anonymous access is disabled. */
+            if (!config_get_anon_access_switch()) {
+                send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+                                 "Anonymous access is not allowed", 0, NULL);
+                /* increment BindSecurityErrorcount */
+                slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+                goto free_and_return;
+            }
+
             /* Refuse the operation if unauthenticated binds are disabled. */
             if (!config_get_unauth_binds_switch()) {
                 /* As stated in RFC 4513, a server SHOULD by default fail

ldap/servers/slapd/connection.c

@@ -480,8 +480,21 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb)
 	/* Copy the Connection DN into the operation struct */
 	op_copy_identity( conn, op );
 
-	/* process the operation */
+	/* If anonymous access is disabled and the connection is
+	 * not authenticated, only allow the BIND operation. */
+	if (!config_get_anon_access_switch() && (op->o_tag != LDAP_REQ_BIND) &&
+            ((op->o_authtype == NULL) || (strcasecmp(op->o_authtype, SLAPD_AUTH_NONE) == 0))) {
+		slapi_log_access( LDAP_DEBUG_STATS,
+			"conn=%" NSPRIu64 " op=%d UNPROCESSED OPERATION\n",
+            		conn->c_connid, op->o_opid );
+
+		send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+                                  "Anonymous access is not allowed.",
+                                  0, NULL );
+		return;
+	}
 
+	/* process the operation */
 	switch ( op->o_tag ) {
 	case LDAP_REQ_BIND:
 		operation_set_type(op,SLAPI_OPERATION_BIND);

ldap/servers/slapd/libglobs.c

@@ -609,7 +609,11 @@ static struct config_get_and_set {
 	{CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE, config_set_require_secure_binds,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.require_secure_binds, CONFIG_ON_OFF,
-		(ConfigGetFunc)config_get_require_secure_binds}
+		(ConfigGetFunc)config_get_require_secure_binds},
+	{CONFIG_ANON_ACCESS_ATTRIBUTE, config_set_anon_access_switch,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.allow_anon_access, CONFIG_ON_OFF,
+		(ConfigGetFunc)config_get_anon_access_switch}
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -861,6 +865,7 @@ FrontendConfig_init () {
 #endif
   cfg->allow_unauth_binds = LDAP_OFF;
   cfg->require_secure_binds = LDAP_OFF;
+  cfg->allow_anon_access = LDAP_ON;
   cfg->slapi_counters = LDAP_ON;
   cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
   cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
@@ -4557,7 +4562,19 @@ config_get_require_secure_binds(void)
 	retVal = slapdFrontendConfig->require_secure_binds;
 	CFG_UNLOCK_READ(slapdFrontendConfig);
 
-return retVal;
+	return retVal;
+}
+
+int
+config_get_anon_access_switch(void)
+{
+	int retVal;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+	CFG_LOCK_READ(slapdFrontendConfig);
+	retVal = slapdFrontendConfig->allow_anon_access;
+	CFG_UNLOCK_READ(slapdFrontendConfig);
+
+	return retVal;
 }
 
 int
@@ -5336,6 +5353,22 @@ config_set_require_secure_binds( const char *attrname, char *value,
 	return retVal;
 }
 
+int
+config_set_anon_access_switch( const char *attrname, char *value,
+		char *errorbuf, int apply )
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->allow_anon_access),
+		errorbuf,
+		apply);
+
+	return retVal;
+}
+
 
 /*
  * This function is intended to be used from the dse code modify callback.  It

ldap/servers/slapd/proto-slap.h

@@ -344,6 +344,7 @@ int config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
 		char *errorbuf, int apply );
 int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_require_secure_binds(const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_anon_access_switch(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
 
@@ -473,6 +474,7 @@ int config_get_rewrite_rfc1274();
 int config_get_outbound_ldap_io_timeout(void);
 int config_get_unauth_binds_switch(void);
 int config_get_require_secure_binds(void);
+int config_get_anon_access_switch(void);
 int config_get_csnlogging();
 #ifdef MEMPOOL_EXPERIMENTAL
 int config_get_mempool_switch();

ldap/servers/slapd/slap.h

@@ -1722,6 +1722,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
 #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
 #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
+#define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access"
 #ifndef _WIN32
 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
 #endif /* !_WIN32 */
@@ -2016,6 +2017,7 @@ typedef struct _slapdFrontendConfig {
   int slapi_counters;           /* switch to turn slapi_counters on/off */
   int allow_unauth_binds;       /* switch to enable/disable unauthenticated binds */
   int require_secure_binds;	/* switch to require simple binds to use a secure channel */
+  int allow_anon_access;	/* switch to enable/disable anonymous access */
   size_t maxsasliosize;         /* limit incoming SASL IO packet size */
 #ifndef _WIN32
   struct passwd *localuserinfo; /* userinfo of localuser */

selinux/dirsrv.te

@@ -86,7 +86,7 @@ allow dirsrv_t self:fifo_file { read write };
 
 # process stuff
 allow dirsrv_t self:process { getsched setsched signal_perms};
-allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override };
+allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override fowner };
 
 # semaphores
 allow dirsrv_t self:sem all_sem_perms;