On Thu, Jun 15, 2023 at 08:23:07AM +1000, Sean Gallagher wrote:
I'd like to propose a new feature to substantially strengthen the existing access controls in slapd. This follows on from comments made in the discussion around Issue 10065. In particular Comment 17 and Comment 19.
The objective here is to validate the credentials supplied by external security mechanisms BEFORE the main server loop starts, and terminate the connection if the client is not "known".
It was noted that the olcAuthzRegexp configuration option already deals with externally supplied Authentication ID. My idea is to build on that.
Hi Sean, olcAuthzRegexp deals with Bind requests only.
Any thoughts?
By the sounds of it, you want to react to a connection being established. There's already a callback for this: bi_connection_init, so you can write your own module/overlay/etc. that would quarantine it until it was set up or find another hook that is closer to that.
We might have to delay calling backend_connection_init() while c_needs_tls_accept is set. Or maybe add another callback for this, any thoughts on that Howard?
Regards,