|
 |
3280a9 |
From 389b2c825742392365262a719be7c8f594e7e522 Mon Sep 17 00:00:00 2001
|
|
|
ef1f48 |
From: William Brown <william@blackhats.net.au>
|
|
|
ef1f48 |
Date: Thu, 26 Nov 2020 09:08:13 +1000
|
|
|
ef1f48 |
Subject: [PATCH] Issue 4460 - BUG - lib389 should use system tls policy
|
|
|
ef1f48 |
|
|
|
ef1f48 |
Bug Description: Due to some changes in dsrc for tlsreqcert
|
|
|
ef1f48 |
and how def open was structured in lib389, the system ldap.conf
|
|
|
ef1f48 |
policy was ignored.
|
|
|
ef1f48 |
|
|
|
ef1f48 |
Fix Description: Default to using the system ldap.conf policy
|
|
|
ef1f48 |
if undefined in lib389 or the tls_reqcert param in dsrc.
|
|
|
ef1f48 |
|
|
|
ef1f48 |
fixes: #4460
|
|
|
ef1f48 |
|
|
|
ef1f48 |
Author: William Brown <william@blackhats.net.au>
|
|
|
ef1f48 |
|
|
|
ef1f48 |
Review by: ???
|
|
|
ef1f48 |
---
|
|
|
ef1f48 |
src/lib389/lib389/__init__.py | 11 +++++++----
|
|
|
ef1f48 |
src/lib389/lib389/cli_base/dsrc.py | 16 +++++++++-------
|
|
|
ef1f48 |
2 files changed, 16 insertions(+), 11 deletions(-)
|
|
|
ef1f48 |
|
|
|
ef1f48 |
diff --git a/src/lib389/lib389/__init__.py b/src/lib389/lib389/__init__.py
|
|
|
3280a9 |
index 99ea9cc6a..4e6a1905a 100644
|
|
|
ef1f48 |
--- a/src/lib389/lib389/__init__.py
|
|
|
ef1f48 |
+++ b/src/lib389/lib389/__init__.py
|
|
|
ef1f48 |
@@ -962,7 +962,7 @@ class DirSrv(SimpleLDAPObject, object):
|
|
|
ef1f48 |
# Now, we are still an allocated ds object so we can be re-installed
|
|
|
ef1f48 |
self.state = DIRSRV_STATE_ALLOCATED
|
|
|
ef1f48 |
|
|
|
ef1f48 |
- def open(self, uri=None, saslmethod=None, sasltoken=None, certdir=None, starttls=False, connOnly=False, reqcert=ldap.OPT_X_TLS_HARD,
|
|
|
ef1f48 |
+ def open(self, uri=None, saslmethod=None, sasltoken=None, certdir=None, starttls=False, connOnly=False, reqcert=None,
|
|
|
ef1f48 |
usercert=None, userkey=None):
|
|
|
ef1f48 |
'''
|
|
|
ef1f48 |
It opens a ldap bound connection to dirsrv so that online
|
|
|
ef1f48 |
@@ -1025,9 +1025,12 @@ class DirSrv(SimpleLDAPObject, object):
|
|
|
ef1f48 |
try:
|
|
|
ef1f48 |
# Note this sets LDAP.OPT not SELF. Because once self has opened
|
|
|
ef1f48 |
# it can NOT change opts on reused (ie restart)
|
|
|
ef1f48 |
- self.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, reqcert)
|
|
|
ef1f48 |
- self.log.debug("Using certificate policy %s", reqcert)
|
|
|
ef1f48 |
- self.log.debug("ldap.OPT_X_TLS_REQUIRE_CERT = %s", reqcert)
|
|
|
ef1f48 |
+ if reqcert is not None:
|
|
|
ef1f48 |
+ self.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, reqcert)
|
|
|
ef1f48 |
+ self.log.debug("Using lib389 certificate policy %s", reqcert)
|
|
|
ef1f48 |
+ else:
|
|
|
ef1f48 |
+ self.log.debug("Using /etc/openldap/ldap.conf certificate policy")
|
|
|
ef1f48 |
+ self.log.debug("ldap.OPT_X_TLS_REQUIRE_CERT = %s", self.get_option(ldap.OPT_X_TLS_REQUIRE_CERT))
|
|
|
ef1f48 |
except ldap.LDAPError as e:
|
|
|
ef1f48 |
self.log.fatal('TLS negotiation failed: %s', e)
|
|
|
ef1f48 |
raise e
|
|
|
ef1f48 |
diff --git a/src/lib389/lib389/cli_base/dsrc.py b/src/lib389/lib389/cli_base/dsrc.py
|
|
|
3280a9 |
index fec18a5f9..9b09ea568 100644
|
|
|
ef1f48 |
--- a/src/lib389/lib389/cli_base/dsrc.py
|
|
|
ef1f48 |
+++ b/src/lib389/lib389/cli_base/dsrc.py
|
|
|
ef1f48 |
@@ -45,7 +45,7 @@ def dsrc_arg_concat(args, dsrc_inst):
|
|
|
ef1f48 |
'tls_cacertdir': None,
|
|
|
ef1f48 |
'tls_cert': None,
|
|
|
ef1f48 |
'tls_key': None,
|
|
|
ef1f48 |
- 'tls_reqcert': ldap.OPT_X_TLS_HARD,
|
|
|
ef1f48 |
+ 'tls_reqcert': None,
|
|
|
ef1f48 |
'starttls': args.starttls,
|
|
|
ef1f48 |
'prompt': False,
|
|
|
ef1f48 |
'pwdfile': None,
|
|
|
3280a9 |
@@ -134,7 +134,7 @@ def dsrc_to_ldap(path, instance_name, log):
|
|
|
ef1f48 |
dsrc_inst['binddn'] = config.get(instance_name, 'binddn', fallback=None)
|
|
|
ef1f48 |
dsrc_inst['saslmech'] = config.get(instance_name, 'saslmech', fallback=None)
|
|
|
ef1f48 |
if dsrc_inst['saslmech'] is not None and dsrc_inst['saslmech'] not in ['EXTERNAL', 'PLAIN']:
|
|
|
ef1f48 |
- raise Exception("%s [%s] saslmech must be one of EXTERNAL or PLAIN" % (path, instance_name))
|
|
|
ef1f48 |
+ raise ValueError("%s [%s] saslmech must be one of EXTERNAL or PLAIN" % (path, instance_name))
|
|
|
ef1f48 |
|
|
|
ef1f48 |
dsrc_inst['tls_cacertdir'] = config.get(instance_name, 'tls_cacertdir', fallback=None)
|
|
|
3280a9 |
# At this point, we should check if the provided cacertdir is indeed, a dir. This can be a cause
|
|
|
3280a9 |
@@ -145,16 +145,18 @@ def dsrc_to_ldap(path, instance_name, log):
|
|
|
3280a9 |
|
|
|
ef1f48 |
dsrc_inst['tls_cert'] = config.get(instance_name, 'tls_cert', fallback=None)
|
|
|
ef1f48 |
dsrc_inst['tls_key'] = config.get(instance_name, 'tls_key', fallback=None)
|
|
|
ef1f48 |
- dsrc_inst['tls_reqcert'] = config.get(instance_name, 'tls_reqcert', fallback='hard')
|
|
|
ef1f48 |
- if dsrc_inst['tls_reqcert'] not in ['never', 'allow', 'hard']:
|
|
|
ef1f48 |
- raise Exception("dsrc tls_reqcert value invalid. %s [%s] tls_reqcert should be one of never, allow or hard" % (instance_name,
|
|
|
ef1f48 |
- path))
|
|
|
ef1f48 |
+ dsrc_inst['tls_reqcert'] = config.get(instance_name, 'tls_reqcert', fallback=None)
|
|
|
ef1f48 |
if dsrc_inst['tls_reqcert'] == 'never':
|
|
|
ef1f48 |
dsrc_inst['tls_reqcert'] = ldap.OPT_X_TLS_NEVER
|
|
|
ef1f48 |
elif dsrc_inst['tls_reqcert'] == 'allow':
|
|
|
ef1f48 |
dsrc_inst['tls_reqcert'] = ldap.OPT_X_TLS_ALLOW
|
|
|
ef1f48 |
- else:
|
|
|
ef1f48 |
+ elif dsrc_inst['tls_reqcert'] == 'hard':
|
|
|
ef1f48 |
dsrc_inst['tls_reqcert'] = ldap.OPT_X_TLS_HARD
|
|
|
ef1f48 |
+ elif dsrc_inst['tls_reqcert'] is None:
|
|
|
ef1f48 |
+ # Use system value
|
|
|
ef1f48 |
+ pass
|
|
|
ef1f48 |
+ else:
|
|
|
ef1f48 |
+ raise ValueError("dsrc tls_reqcert value invalid. %s [%s] tls_reqcert should be one of never, allow or hard" % (instance_name, path))
|
|
|
ef1f48 |
dsrc_inst['starttls'] = config.getboolean(instance_name, 'starttls', fallback=False)
|
|
|
ef1f48 |
dsrc_inst['pwdfile'] = None
|
|
|
ef1f48 |
dsrc_inst['prompt'] = False
|
|
|
ef1f48 |
--
|
|
|
ef1f48 |
2.26.2
|
|
|
ef1f48 |
|