From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Wed, 1 May 2019 21:25:31 +0300

Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"

This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.

---

 install/share/Makefile.am       |  1 -

 install/share/min-ssf.ldif      | 14 --------------

 ipalib/constants.py             |  3 ---

 ipapython/ipaldap.py            | 17 ++---------------

 ipaserver/install/dsinstance.py |  5 -----

 5 files changed, 2 insertions(+), 38 deletions(-)

 delete mode 100644 install/share/min-ssf.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am

index be83bdf75..8d039d95c 100644

--- a/install/share/Makefile.am

+++ b/install/share/Makefile.am

@@ -94,7 +94,6 @@ dist_app_DATA =				\

 	ipa-kdc-proxy.conf.template	\

 	ipa-pki-proxy.conf.template	\

 	ipa-rewrite.conf.template	\

-	min-ssf.ldif			\

 	ipaca_default.ini		\

 	ipaca_customize.ini		\

 	ipaca_softhsm2.ini		\

diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif

deleted file mode 100644

index 1c2566f84..000000000

--- a/install/share/min-ssf.ldif

+++ /dev/null

@@ -1,14 +0,0 @@

-# config

-# pretend SSF for LDAPI connections

-# nsslapd-localssf must be equal to or greater than nsslapd-minssf

-dn: cn=config

-changetype: modify

-replace: nsslapd-localssf

-nsslapd-localssf: 256

-

-# minimum security strength factor for SASL and TLS

-# 56 is considered weak, but some old clients announce wrong SSF.

-dn: cn=config

-changetype: modify

-replace: nsslapd-minssf

-nsslapd-minssf: 56

diff --git a/ipalib/constants.py b/ipalib/constants.py

index bcf6f3373..c22dd26ae 100644

--- a/ipalib/constants.py

+++ b/ipalib/constants.py

@@ -311,9 +311,6 @@ TLS_VERSIONS = [

 ]

 TLS_VERSION_MINIMAL = "tls1.0"

-# minimum SASL secure strength factor for LDAP connections

-# 56 provides backwards compatibility with old libraries.

-LDAP_SSF_MIN_THRESHOLD = 56

 # Use cache path

 USER_CACHE_PATH = (

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py

index d9d67be1d..9ff443fe4 100644

--- a/ipapython/ipaldap.py

+++ b/ipapython/ipaldap.py

@@ -43,9 +43,7 @@ import six

 # pylint: disable=ipa-forbidden-import

 from ipalib import errors, x509, _

-from ipalib.constants import (

-    LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD

-)

+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT

 # pylint: enable=ipa-forbidden-import

 from ipaplatform.paths import paths

 from ipapython.ipautil import format_netloc, CIDict

@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):

     return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)

-def ldap_initialize(uri, cacertfile=None,

-                    ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):

+def ldap_initialize(uri, cacertfile=None):

     """Wrapper around ldap.initialize()

     The function undoes global and local ldap.conf settings that may cause

@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,

       locations, also known as system-wide trust store.

     * Cert validation is enforced.

     * SSLv2 and SSLv3 are disabled.

-    * Require a minimum SASL security factor of 56. That level ensures

-      data integrity and confidentiality. Although at least AES128 is

-      enforced pretty much everywhere, 56 is required for backwards

-      compatibility with systems that announce wrong SSF.

     """

     conn = ldap.initialize(uri)

@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,

     conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)

     if not uri.startswith('ldapi://'):

-        # require a minimum SSF for TCP connections, but don't lower SSF_MIN

-        # if the current value is already larger.

-        cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)

-        if cur_min_ssf < ssf_min_threshold:

-            conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)

-

         if cacertfile:

             if not os.path.isfile(cacertfile):

                 raise IOError(errno.ENOENT, cacertfile)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py

index 8240e3043..9f05db1db 100644

--- a/ipaserver/install/dsinstance.py

+++ b/ipaserver/install/dsinstance.py

@@ -324,8 +324,6 @@ class DsInstance(service.Service):

         else:

             self.step("importing CA certificates from LDAP",

                       self.__import_ca_certs)

-        # set min SSF after DS is configured for TLS

-        self.step("require minimal SSF", self.__min_ssf)

         self.step("restarting directory server", self.__restart_instance)

         self.start_creation()

@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):

             dm_password=self.dm_password

         )

-    def __min_ssf(self):

-        self._ldap_mod("min-ssf.ldif")

-

     def __add_sudo_binduser(self):

         self._ldap_mod("sudobind.ldif", self.sub_dict)

-- 

2.21.0