|
 |
cd9052 |
From b53c3e5fb5c90813ce1b47ddc570dd9c800232f9 Mon Sep 17 00:00:00 2001
|
|
|
cd9052 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
cd9052 |
Date: Fri, 3 Jul 2020 17:18:27 +0200
|
|
|
cd9052 |
Subject: [PATCH] Use startTLS with FreeIPA
|
|
|
cd9052 |
|
|
|
cd9052 |
FreeIPA is planning to required a minimal security strength factor (ssf)
|
|
|
cd9052 |
in an upcoming version. This basically means that communication should
|
|
|
cd9052 |
be encrypted. The most straight forward way is use TLS by doing a
|
|
|
cd9052 |
StartLS operation after the rootDSE lookup. Since FreeIPA supports TLS
|
|
|
cd9052 |
since the initial release we will call StartTLS unconditionally but try
|
|
|
cd9052 |
without if it fails.
|
|
|
cd9052 |
|
|
|
cd9052 |
Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
|
|
|
cd9052 |
---
|
|
|
cd9052 |
service/realm-disco-rootdse.c | 23 +++++++++++++++++++++++
|
|
|
cd9052 |
service/realm-ldap.c | 4 +++-
|
|
|
cd9052 |
2 files changed, 26 insertions(+), 1 deletion(-)
|
|
|
cd9052 |
|
|
|
cd9052 |
diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
|
|
|
cd9052 |
index 3100650..7614071 100644
|
|
|
cd9052 |
--- a/service/realm-disco-rootdse.c
|
|
|
cd9052 |
+++ b/service/realm-disco-rootdse.c
|
|
|
cd9052 |
@@ -226,10 +226,33 @@ request_domain_info (GTask *task,
|
|
|
cd9052 |
LDAP *ldap)
|
|
|
cd9052 |
{
|
|
|
cd9052 |
const char *attrs[] = { "info", "associatedDomain", NULL };
|
|
|
cd9052 |
+ int ret;
|
|
|
cd9052 |
+ int ldap_opt_val;
|
|
|
cd9052 |
|
|
|
cd9052 |
clo->request = NULL;
|
|
|
cd9052 |
clo->result = result_domain_info;
|
|
|
cd9052 |
|
|
|
cd9052 |
+ /* Trying to setup a TLS tunnel in the case the IPA server requires an
|
|
|
cd9052 |
+ * encrypted connected. Trying without in case of an error. Since we
|
|
|
cd9052 |
+ * most probably do not have the IPA CA certificate we will not check
|
|
|
cd9052 |
+ * the server certificate. */
|
|
|
cd9052 |
+ ldap_opt_val = LDAP_OPT_X_TLS_NEVER;
|
|
|
cd9052 |
+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_opt_val);
|
|
|
cd9052 |
+ if (ret != LDAP_OPT_SUCCESS) {
|
|
|
cd9052 |
+ g_debug ("Failed to disable certificate checking, trying without");
|
|
|
cd9052 |
+ }
|
|
|
cd9052 |
+
|
|
|
cd9052 |
+ ldap_opt_val = 0;
|
|
|
cd9052 |
+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_NEWCTX, &ldap_opt_val);
|
|
|
cd9052 |
+ if (ret != LDAP_OPT_SUCCESS) {
|
|
|
cd9052 |
+ g_debug ("Failed to refresh LDAP context for TLS, trying without");
|
|
|
cd9052 |
+ }
|
|
|
cd9052 |
+
|
|
|
cd9052 |
+ ret = ldap_start_tls_s (ldap, NULL, NULL);
|
|
|
cd9052 |
+ if (ret != LDAP_SUCCESS) {
|
|
|
cd9052 |
+ g_debug ("Failed to setup TLS tunnel, trying without");
|
|
|
cd9052 |
+ }
|
|
|
cd9052 |
+
|
|
|
cd9052 |
return search_ldap (task, clo, ldap, clo->default_naming_context,
|
|
|
cd9052 |
LDAP_SCOPE_BASE, NULL, attrs);
|
|
|
cd9052 |
}
|
|
|
cd9052 |
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
|
|
|
cd9052 |
index 59817fb..7831b5b 100644
|
|
|
cd9052 |
--- a/service/realm-ldap.c
|
|
|
cd9052 |
+++ b/service/realm-ldap.c
|
|
|
cd9052 |
@@ -238,7 +238,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
|
|
cd9052 |
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
|
|
|
cd9052 |
g_warning ("couldn't set to blocking");
|
|
|
cd9052 |
|
|
|
cd9052 |
- rc = ldap_init_fd (ls->sock, 1, NULL, &ls->ldap);
|
|
|
cd9052 |
+ url = g_strdup_printf ("ldap://%s:%d", addrname, port);
|
|
|
cd9052 |
+ rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
|
|
|
cd9052 |
+ g_free (url);
|
|
|
cd9052 |
|
|
|
cd9052 |
g_free (native);
|
|
|
cd9052 |
|
|
|
cd9052 |
--
|
|
|
cd9052 |
2.26.2
|
|
|
cd9052 |
|