From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 1 May 2019 21:25:31 +0300
Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"

This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
---
 install/share/Makefile.am       |  1 -
 install/share/min-ssf.ldif      | 14 --------------
 ipalib/constants.py             |  3 ---
 ipapython/ipaldap.py            | 17 ++---------------
 ipaserver/install/dsinstance.py |  5 -----
 5 files changed, 2 insertions(+), 38 deletions(-)
 delete mode 100644 install/share/min-ssf.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index be83bdf75..8d039d95c 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -94,7 +94,6 @@ dist_app_DATA =				\
 	ipa-kdc-proxy.conf.template	\
 	ipa-pki-proxy.conf.template	\
 	ipa-rewrite.conf.template	\
-	min-ssf.ldif			\
 	ipaca_default.ini		\
 	ipaca_customize.ini		\
 	ipaca_softhsm2.ini		\
diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
deleted file mode 100644
index 1c2566f84..000000000
--- a/install/share/min-ssf.ldif
+++ /dev/null
@@ -1,14 +0,0 @@
-# config
-# pretend SSF for LDAPI connections
-# nsslapd-localssf must be equal to or greater than nsslapd-minssf
-dn: cn=config
-changetype: modify
-replace: nsslapd-localssf
-nsslapd-localssf: 256
-
-# minimum security strength factor for SASL and TLS
-# 56 is considered weak, but some old clients announce wrong SSF.
-dn: cn=config
-changetype: modify
-replace: nsslapd-minssf
-nsslapd-minssf: 56
diff --git a/ipalib/constants.py b/ipalib/constants.py
index bcf6f3373..c22dd26ae 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -311,9 +311,6 @@ TLS_VERSIONS = [
 ]
 TLS_VERSION_MINIMAL = "tls1.0"
 
-# minimum SASL secure strength factor for LDAP connections
-# 56 provides backwards compatibility with old libraries.
-LDAP_SSF_MIN_THRESHOLD = 56
 
 # Use cache path
 USER_CACHE_PATH = (
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index d9d67be1d..9ff443fe4 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -43,9 +43,7 @@ import six
 
 # pylint: disable=ipa-forbidden-import
 from ipalib import errors, x509, _
-from ipalib.constants import (
-    LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
-)
+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
 # pylint: enable=ipa-forbidden-import
 from ipaplatform.paths import paths
 from ipapython.ipautil import format_netloc, CIDict
@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
     return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
 
 
-def ldap_initialize(uri, cacertfile=None,
-                    ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
+def ldap_initialize(uri, cacertfile=None):
     """Wrapper around ldap.initialize()
 
     The function undoes global and local ldap.conf settings that may cause
@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
       locations, also known as system-wide trust store.
     * Cert validation is enforced.
     * SSLv2 and SSLv3 are disabled.
-    * Require a minimum SASL security factor of 56. That level ensures
-      data integrity and confidentiality. Although at least AES128 is
-      enforced pretty much everywhere, 56 is required for backwards
-      compatibility with systems that announce wrong SSF.
     """
     conn = ldap.initialize(uri)
 
@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
     conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
 
     if not uri.startswith('ldapi://'):
-        # require a minimum SSF for TCP connections, but don't lower SSF_MIN
-        # if the current value is already larger.
-        cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
-        if cur_min_ssf < ssf_min_threshold:
-            conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
-
         if cacertfile:
             if not os.path.isfile(cacertfile):
                 raise IOError(errno.ENOENT, cacertfile)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 8240e3043..9f05db1db 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -324,8 +324,6 @@ class DsInstance(service.Service):
         else:
             self.step("importing CA certificates from LDAP",
                       self.__import_ca_certs)
-        # set min SSF after DS is configured for TLS
-        self.step("require minimal SSF", self.__min_ssf)
         self.step("restarting directory server", self.__restart_instance)
 
         self.start_creation()
@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
             dm_password=self.dm_password
         )
 
-    def __min_ssf(self):
-        self._ldap_mod("min-ssf.ldif")
-
     def __add_sudo_binduser(self):
         self._ldap_mod("sudobind.ldif", self.sub_dict)
 
-- 
2.21.0