|
|
544061 |
From 8e207fd33d524f5cde2dfd8a41a08926a328a92b Mon Sep 17 00:00:00 2001
|
|
|
544061 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
544061 |
Date: Tue, 13 Aug 2019 17:22:01 +0200
|
|
|
544061 |
Subject: [PATCH] Allow insecure binds for migration
|
|
|
544061 |
|
|
|
544061 |
Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
|
|
|
544061 |
over an insecure connection. Password logins were only allowed over LDAPS
|
|
|
544061 |
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.
|
|
|
544061 |
|
|
|
544061 |
This commit lifts the restriction and permits insecure binds over plain
|
|
|
544061 |
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
|
|
|
544061 |
certificate is configured with a plain LDAP connection.
|
|
|
544061 |
|
|
|
544061 |
Fixes: https://pagure.io/freeipa/issue/8040
|
|
|
544061 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
544061 |
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
|
544061 |
|
|
|
544061 |
ipapython/ipaldap.py | 8 +++++
|
|
|
544061 |
ipaserver/plugins/migration.py | 9 ++++
|
|
|
544061 |
2 files changed, 9 insertions(+), 8 deletions(-)
|
|
|
544061 |
|
|
|
544061 |
diff
|
|
|
544061 |
index 9ff443fe4f..f40858e27f 100644
|
|
|
544061 |
|
|
|
544061 |
|
|
|
544061 |
@@ -1206,12 +1206,14 @@ def _connect(self):
|
|
|
544061 |
return conn
|
|
|
544061 |
|
|
|
544061 |
def simple_bind(self, bind_dn, bind_password, server_controls=None,
|
|
|
544061 |
- client_controls=None):
|
|
|
544061 |
+ client_controls=None, insecure_bind=False):
|
|
|
544061 |
"""
|
|
|
544061 |
Perform simple bind operation.
|
|
|
544061 |
"""
|
|
|
544061 |
- if self.protocol == 'ldap' and not self._start_tls and bind_password:
|
|
|
544061 |
-
|
|
|
544061 |
+ if (self.protocol == 'ldap' and not self._start_tls and
|
|
|
544061 |
+ bind_password and not insecure_bind):
|
|
|
544061 |
+
|
|
|
544061 |
+
|
|
|
544061 |
raise ValueError('simple_bind over insecure LDAP connection')
|
|
|
544061 |
with self.error_handler():
|
|
|
544061 |
self._flush_schema()
|
|
|
544061 |
diff
|
|
|
544061 |
index d0ca8369ae..b025c46cc5 100644
|
|
|
544061 |
|
|
|
544061 |
|
|
|
544061 |
@@ -901,20 +901,19 @@ def execute(self, ldapuri, bindpw, **options):
|
|
|
544061 |
return dict(result={}, failed={}, enabled=False, compat=True)
|
|
|
544061 |
|
|
|
544061 |
|
|
|
544061 |
- cacert = None
|
|
|
544061 |
if options.get('cacertfile') is not None:
|
|
|
544061 |
|
|
|
544061 |
tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
|
|
|
544061 |
cacert = tmp_ca_cert_f.name
|
|
|
544061 |
|
|
|
544061 |
-
|
|
|
544061 |
- ds_ldap = LDAPClient(ldapuri, cacert=cacert)
|
|
|
544061 |
+
|
|
|
544061 |
+ ds_ldap = LDAPClient(ldapuri, cacert=cacert, start_tls=True)
|
|
|
544061 |
ds_ldap.simple_bind(options['binddn'], bindpw)
|
|
|
544061 |
|
|
|
544061 |
tmp_ca_cert_f.close()
|
|
|
544061 |
else:
|
|
|
544061 |
- ds_ldap = LDAPClient(ldapuri, cacert=cacert)
|
|
|
544061 |
- ds_ldap.simple_bind(options['binddn'], bindpw)
|
|
|
544061 |
+ ds_ldap = LDAPClient(ldapuri)
|
|
|
544061 |
+ ds_ldap.simple_bind(options['binddn'], bindpw, insecure_bind=True)
|
|
|
544061 |
|
|
|
544061 |
|
|
|
544061 |
if not options.get('compat'):
|