On Thu, Jun 15, 2023 at 08:23:07AM +1000, Sean Gallagher wrote: > I'd like to propose a new feature to substantially strengthen the existing > access controls in slapd. This follows on from comments made in the > discussion around Issue 10065. In particular Comment 17 and Comment 19. > > The objective here is to validate the credentials supplied by external > security mechanisms BEFORE the main server loop starts, and terminate the > connection if the client is not "known". > > It was noted that the olcAuthzRegexp configuration option already deals with > externally supplied Authentication ID. My idea is to build on that.
Hi Sean, olcAuthzRegexp deals with Bind requests only. > Any thoughts? By the sounds of it, you want to react to a connection being established. There's already a callback for this: bi_connection_init, so you can write your own module/overlay/etc. that would quarantine it until it was set up or find another hook that is closer to that. We might have to delay calling backend_connection_init() while c_needs_tls_accept is set. Or maybe add another callback for this, any thoughts on that Howard? Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
