From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 1 May 2019 21:25:31 +0300
Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
---
install/share/Makefile.am | 1 -
install/share/min-ssf.ldif | 14 --------------
ipalib/constants.py | 3 ---
ipapython/ipaldap.py | 17 ++---------------
ipaserver/install/dsinstance.py | 5 -----
5 files changed, 2 insertions(+), 38 deletions(-)
delete mode 100644 install/share/min-ssf.ldif
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index be83bdf75..8d039d95c 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -94,7 +94,6 @@ dist_app_DATA = \
ipa-kdc-proxy.conf.template \
ipa-pki-proxy.conf.template \
ipa-rewrite.conf.template \
- min-ssf.ldif \
ipaca_default.ini \
ipaca_customize.ini \
ipaca_softhsm2.ini \
diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
deleted file mode 100644
index 1c2566f84..000000000
--- a/install/share/min-ssf.ldif
+++ /dev/null
@@ -1,14 +0,0 @@
-# config
-# pretend SSF for LDAPI connections
-# nsslapd-localssf must be equal to or greater than nsslapd-minssf
-dn: cn=config
-changetype: modify
-replace: nsslapd-localssf
-nsslapd-localssf: 256
-
-# minimum security strength factor for SASL and TLS
-# 56 is considered weak, but some old clients announce wrong SSF.
-dn: cn=config
-changetype: modify
-replace: nsslapd-minssf
-nsslapd-minssf: 56
diff --git a/ipalib/constants.py b/ipalib/constants.py
index bcf6f3373..c22dd26ae 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -311,9 +311,6 @@ TLS_VERSIONS = [
]
TLS_VERSION_MINIMAL = "tls1.0"
-# minimum SASL secure strength factor for LDAP connections
-# 56 provides backwards compatibility with old libraries.
-LDAP_SSF_MIN_THRESHOLD = 56
# Use cache path
USER_CACHE_PATH = (
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index d9d67be1d..9ff443fe4 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -43,9 +43,7 @@ import six
# pylint: disable=ipa-forbidden-import
from ipalib import errors, x509, _
-from ipalib.constants import (
- LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
-)
+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
# pylint: enable=ipa-forbidden-import
from ipaplatform.paths import paths
from ipapython.ipautil import format_netloc, CIDict
@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
-def ldap_initialize(uri, cacertfile=None,
- ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
+def ldap_initialize(uri, cacertfile=None):
"""Wrapper around ldap.initialize()
The function undoes global and local ldap.conf settings that may cause
@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
locations, also known as system-wide trust store.
* Cert validation is enforced.
* SSLv2 and SSLv3 are disabled.
- * Require a minimum SASL security factor of 56. That level ensures
- data integrity and confidentiality. Although at least AES128 is
- enforced pretty much everywhere, 56 is required for backwards
- compatibility with systems that announce wrong SSF.
"""
conn = ldap.initialize(uri)
@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
if not uri.startswith('ldapi://'):
- # require a minimum SSF for TCP connections, but don't lower SSF_MIN
- # if the current value is already larger.
- cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
- if cur_min_ssf < ssf_min_threshold:
- conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
-
if cacertfile:
if not os.path.isfile(cacertfile):
raise IOError(errno.ENOENT, cacertfile)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 8240e3043..9f05db1db 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -324,8 +324,6 @@ class DsInstance(service.Service):
else:
self.step("importing CA certificates from LDAP",
self.__import_ca_certs)
- # set min SSF after DS is configured for TLS
- self.step("require minimal SSF", self.__min_ssf)
self.step("restarting directory server", self.__restart_instance)
self.start_creation()
@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
dm_password=self.dm_password
)
- def __min_ssf(self):
- self._ldap_mod("min-ssf.ldif")
-
def __add_sudo_binduser(self):
self._ldap_mod("sudobind.ldif", self.sub_dict)
--
2.21.0