areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0007-Allow-insecure-binds-for-migration-8e207fd3_rhbz#1731963.patch

e8574e
From 8e207fd33d524f5cde2dfd8a41a08926a328a92b Mon Sep 17 00:00:00 2001
e8574e
From: Christian Heimes <cheimes@redhat.com>
e8574e
Date: Tue, 13 Aug 2019 17:22:01 +0200
e8574e
Subject: [PATCH] Allow insecure binds for migration
e8574e
e8574e
Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
e8574e
over an insecure connection. Password logins were only allowed over LDAPS
e8574e
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.
e8574e
e8574e
This commit lifts the restriction and permits insecure binds over plain
e8574e
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
e8574e
certificate is configured with a plain LDAP connection.
e8574e
e8574e
Fixes: https://pagure.io/freeipa/issue/8040
e8574e
Signed-off-by: Christian Heimes <cheimes@redhat.com>
e8574e
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
e8574e
---
e8574e
 ipapython/ipaldap.py           | 8 +++++---
e8574e
 ipaserver/plugins/migration.py | 9 ++++-----
e8574e
 2 files changed, 9 insertions(+), 8 deletions(-)
e8574e
e8574e
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
e8574e
index 9ff443fe4f..f40858e27f 100644
e8574e
--- a/ipapython/ipaldap.py
e8574e
+++ b/ipapython/ipaldap.py
e8574e
@@ -1206,12 +1206,14 @@ def _connect(self):
e8574e
         return conn
e8574e
 
e8574e
     def simple_bind(self, bind_dn, bind_password, server_controls=None,
e8574e
-                    client_controls=None):
e8574e
+                    client_controls=None, insecure_bind=False):
e8574e
         """
e8574e
         Perform simple bind operation.
e8574e
         """
e8574e
-        if self.protocol == 'ldap' and not self._start_tls and bind_password:
e8574e
-            # non-empty bind must use a secure connection
e8574e
+        if (self.protocol == 'ldap' and not self._start_tls and
e8574e
+                bind_password and not insecure_bind):
e8574e
+            # non-empty bind must use a secure connection unless
e8574e
+            # insecure bind is explicitly enabled
e8574e
             raise ValueError('simple_bind over insecure LDAP connection')
e8574e
         with self.error_handler():
e8574e
             self._flush_schema()
e8574e
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
e8574e
index d0ca8369ae..b025c46cc5 100644
e8574e
--- a/ipaserver/plugins/migration.py
e8574e
+++ b/ipaserver/plugins/migration.py
e8574e
@@ -901,20 +901,19 @@ def execute(self, ldapuri, bindpw, **options):
e8574e
             return dict(result={}, failed={}, enabled=False, compat=True)
e8574e
 
e8574e
         # connect to DS
e8574e
-        cacert = None
e8574e
         if options.get('cacertfile') is not None:
e8574e
             # store CA cert into file
e8574e
             tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
e8574e
             cacert = tmp_ca_cert_f.name
e8574e
 
e8574e
-            # start TLS connection
e8574e
-            ds_ldap = LDAPClient(ldapuri, cacert=cacert)
e8574e
+            # start TLS connection or STARTTLS
e8574e
+            ds_ldap = LDAPClient(ldapuri, cacert=cacert, start_tls=True)
e8574e
             ds_ldap.simple_bind(options['binddn'], bindpw)
e8574e
 
e8574e
             tmp_ca_cert_f.close()
e8574e
         else:
e8574e
-            ds_ldap = LDAPClient(ldapuri, cacert=cacert)
e8574e
-            ds_ldap.simple_bind(options['binddn'], bindpw)
e8574e
+            ds_ldap = LDAPClient(ldapuri)
e8574e
+            ds_ldap.simple_bind(options['binddn'], bindpw, insecure_bind=True)
e8574e
 
e8574e
         # check whether the compat plugin is enabled
e8574e
         if not options.get('compat'):