#168 minssf should not apply to rootdse

Created 5 years ago by rmeggins
Modified 3 months ago

https://bugzilla.redhat.com/show_bug.cgi?id=746758

Description of problem:
LDAP Standard requires that rootdse be always available anonymously and
unencrypted.

389 DS prevents the lookup when minssf is set and an unencrypted query for
rootdse is performed.

How reproducible:
Always

Steps to Reproduce:
1. Set minssf in dse.ldif
2. ldapsearch -x -H ldap://`hostname` -s base -b ""
3. ldap_bind: Server is unwilling to perform (53)
        additional info: Minimum SSF not met.

Actual results:
ldap_bind: Server is unwilling to perform (53)
        additional info: Minimum SSF not met.

Expected results:
To return results for rootdse

Additional info:

batch move to milestone 1.2.10.a7

Fix description: This patch is for supporting a request to
allow accessing rootdse with lower ssf than minssf configuration
setting.
. introduced a on/off type config parameter:
nsslapd-minssf-exclude-rootdse.
. by default, the value is off.
. when it is off, the server's behavior remains intact.
. when it is on, the server allows to access rootdse even if
the ssf value is less than nsslapd-minssf value.

Reviewed by Rich (Thank you!!)

Pushed to master.

$ git merge trac168
Updating ed87077. 48e99c1
Fast-forward
ldap/servers/slapd/bind.c | 13 +++++++++++--
ldap/servers/slapd/connection.c | 10 +++++++++-
ldap/servers/slapd/libglobs.c | 35 +++++++++++++++++++++++++++++++++++
ldap/servers/slapd/modify.c | 22 ++++++++++++++++++++++
ldap/servers/slapd/proto-slap.h | 2 ++
ldap/servers/slapd/search.c | 29 ++++++++++++++++++++++++++++-
ldap/servers/slapd/slap.h | 2 ++
7 files changed, 109 insertions(+), 4 deletions(-)

$ git push
Counting objects: 23, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (12/12), done.
Writing objects: 100% (12/12), 2.92 KiB, done.
Total 12 (delta 10), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
ed87077. 48e99c1 master -> master

Steps to verify:
1. minssf-exclude-minssf: off
In cn=config, set the following parameters (assume server is down) and start the server.
nsslapd-allow-anonymous-access: on
nsslapd-minssf: 10
nsslapd-minssf-exclude-rootdse: off
1-1. Simple auth search (-x) by any user against any base dn fails with "Minimum SSF not met".
$ ldapsearch -LLLx -h localhost -p <port> -b "" -s base dn
ldap_bind: Server is unwilling to perform (53)
additional info: Minimum SSF not met.
$ ldapsearch -LLLx -h localhost -p <port> -b "dc=example,dc=com" dn
ldap_bind: Server is unwilling to perform (53)
additional info: Minimum SSF not met.
$ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <pw> -b "" -s base dn
ldap_bind: Server is unwilling to perform (53)
additional info: Minimum SSF not met.
$ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <pw> -b "dc=example,dc=com" dn
ldap_bind: Server is unwilling to perform (53)
additional info: Minimum SSF not met.

  1. minssf-exclude-minssf: on
    In cn=config, set the following parameters (assume server is down) and start the server.
    nsslapd-allow-anonymous-access: on
    nsslapd-minssf: 10
    nsslapd-minssf-exclude-rootdse: on
    2-1. Simple auth search (-x) by any user against rootdse is allowed, but against any other base dn fails with "Minimum SSF not met".
    $ ldapsearch -LLLx -h localhost -p <port> -b "" -s base dn
    dn:
    $ ldapsearch -LLLx -h localhost -p <port> -b "dc=example,dc=com" -s base dn
    Server is unwilling to perform (53)
    Additional information: Minimum SSF not met.
    $ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <pw> -b "" -s base dn
    dn:
    $ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <pw> -b "dc=example,dc=com" -s base dn
    Server is unwilling to perform (53)
    Additional information: Minimum SSF not met.

Added initial screened field value.

3 months ago

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.2.10.a7

Login to comment on this ticket.

ack

Directory Server

1.2.10

enhancement

cancel