From 8e207fd33d524f5cde2dfd8a41a08926a328a92b Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 13 Aug 2019 17:22:01 +0200
Subject: [PATCH] Allow insecure binds for migration
Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.
This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.
Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
ipapython/ipaldap.py | 8 +++++---
ipaserver/plugins/migration.py | 9 ++++-----
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 9ff443fe4f..f40858e27f 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1206,12 +1206,14 @@ def _connect(self):
return conn
def simple_bind(self, bind_dn, bind_password, server_controls=None,
- client_controls=None):
+ client_controls=None, insecure_bind=False):
"""
Perform simple bind operation.
"""
- if self.protocol == 'ldap' and not self._start_tls and bind_password:
- # non-empty bind must use a secure connection
+ if (self.protocol == 'ldap' and not self._start_tls and
+ bind_password and not insecure_bind):
+ # non-empty bind must use a secure connection unless
+ # insecure bind is explicitly enabled
raise ValueError('simple_bind over insecure LDAP connection')
with self.error_handler():
self._flush_schema()
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index d0ca8369ae..b025c46cc5 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -901,20 +901,19 @@ def execute(self, ldapuri, bindpw, **options):
return dict(result={}, failed={}, enabled=False, compat=True)
# connect to DS
- cacert = None
if options.get('cacertfile') is not None:
# store CA cert into file
tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
cacert = tmp_ca_cert_f.name
- # start TLS connection
- ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ # start TLS connection or STARTTLS
+ ds_ldap = LDAPClient(ldapuri, cacert=cacert, start_tls=True)
ds_ldap.simple_bind(options['binddn'], bindpw)
tmp_ca_cert_f.close()
else:
- ds_ldap = LDAPClient(ldapuri, cacert=cacert)
- ds_ldap.simple_bind(options['binddn'], bindpw)
+ ds_ldap = LDAPClient(ldapuri)
+ ds_ldap.simple_bind(options['binddn'], bindpw, insecure_bind=True)
# check whether the compat plugin is enabled
if not options.get('compat'):