Commit - 389-ds-base - c61ee8e

    Ticket #110 - RFE limiting root DN by host, IP, time of day, day of week
    
    RFE Description:  There is no way to restrict when and where some one can attempt
                      root DN binds.  An intruder can brute force guess the password all
                      day long until they succeed, especailly if the DS is publicly
                      available.
    
    Fix Description:  Created a new plugin, type "internalpreoperation" and an internal
                      preop bind function.  You can configure the plugin with some basic
                      access control:
    
                rootdn-open-time: 0800
                rootdn-close-time: 1700
                rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri
                rootdn-allow-host: *.redhat.com
                rootdn-allow-host: *.fedora.com
                rootdn-deny-host: dangerous.boracle.com
                rootdn-allow-ip: 127.0.0.1
                rootdn-allow-ip: 2000:db8:de30::11
                rootdn-deny-ip: 192.168.1.*
    
                              As with our other ACL code, deny's always override the allow rules.
    
    https://fedorahosted.org/389/ticket/110
    
    Reviewed by: richm(Thanks Rich!)

Makefile.am

file modified

+12 -1

Makefile.in

file modified

+47 -3

ldap/ldif/template-dse.ldif.in

file modified

+11 -0

ldap/servers/plugins/rootdn_access/rootdn_access.c

file added

+663

ldap/servers/plugins/rootdn_access/rootdn_access.h

file added

+57

ldap/servers/slapd/bind.c

file modified

+27 -7

ldap/servers/slapd/pblock.c

file modified

+14 -0

ldap/servers/slapd/plugin.c

file modified

+10 -1

ldap/servers/slapd/slap.h

file modified

+2 -0

ldap/servers/slapd/slapi-plugin.h

file modified

+3 -0

389-ds-base

Source Code

c61ee8e Ticket #110 - RFE limiting root DN by host, IP, time of day, day of week

Authored and Committed by mreynolds 11 years ago

`c61ee8e` Ticket #110 - RFE limiting root DN by host, IP, time of day, day of week