From ae247ae2ad87858741d64341633cd4e74f72e873 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 30 Oct 2020 13:28:52 +0100

Subject: [PATCH 3/6] service: add ldaps support when using adcli

Call adcli with the --use-ldaps option if the realmd service is

requested to do so.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964

---

 service/realm-adcli-enroll.c | 10 ++++++++++

 service/realm-adcli-enroll.h |  2 ++

 service/realm-samba.c        | 11 +++++++++--

 service/realm-sssd-ad.c      | 27 ++++++++++++++++++++++++++-

 4 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c

index 05947fa..2731283 100644

--- a/service/realm-adcli-enroll.c

+++ b/service/realm-adcli-enroll.c

@@ -68,6 +68,7 @@ void

 realm_adcli_enroll_join_async (RealmDisco *disco,

                                RealmCredential *cred,

                                GVariant *options,

+                               gboolean use_ldaps,

                                GDBusMethodInvocation *invocation,

                                GAsyncReadyCallback callback,

                                gpointer user_data)

@@ -102,6 +103,10 @@ realm_adcli_enroll_join_async (RealmDisco *disco,

 	g_ptr_array_add (args, "--domain-realm");

 	g_ptr_array_add (args, (gpointer)disco->kerberos_realm);

+	if (use_ldaps) {

+		g_ptr_array_add (args, "--use-ldaps");

+	}

+

 	if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {

 		address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));

 		server_arg = g_inet_address_to_string (address);

@@ -218,6 +223,7 @@ void

 realm_adcli_enroll_delete_async (RealmDisco *disco,

                                  RealmCredential *cred,

                                  GVariant *options,

+                                 gboolean use_ldaps,

                                  GDBusMethodInvocation *invocation,

                                  GAsyncReadyCallback callback,

                                  gpointer user_data)

@@ -246,6 +252,10 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,

 	g_ptr_array_add (args, "--domain-realm");

 	g_ptr_array_add (args, (gpointer)disco->kerberos_realm);

+	if (use_ldaps) {

+		g_ptr_array_add (args, "--use-ldaps");

+	}

+

 	if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {

 		address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));

 		server_arg = g_inet_address_to_string (address);

diff --git a/service/realm-adcli-enroll.h b/service/realm-adcli-enroll.h

index 855b2f7..3f535d0 100644

--- a/service/realm-adcli-enroll.h

+++ b/service/realm-adcli-enroll.h

@@ -29,6 +29,7 @@ G_BEGIN_DECLS

 void         realm_adcli_enroll_join_async    (RealmDisco *disco,

                                                RealmCredential *cred,

                                                GVariant *options,

+                                               gboolean use_ldaps,

                                                GDBusMethodInvocation *invocation,

                                                GAsyncReadyCallback callback,

                                                gpointer user_data);

@@ -39,6 +40,7 @@ gboolean     realm_adcli_enroll_join_finish   (GAsyncResult *result,

 void         realm_adcli_enroll_delete_async  (RealmDisco *disco,

                                                RealmCredential *cred,

                                                GVariant *options,

+                                               gboolean use_ldaps,

                                                GDBusMethodInvocation *invocation,

                                                GAsyncReadyCallback callback,

                                                gpointer user_data);

diff --git a/service/realm-samba.c b/service/realm-samba.c

index e7b80a0..7aa5416 100644

--- a/service/realm-samba.c

+++ b/service/realm-samba.c

@@ -257,7 +257,8 @@ on_install_do_join (GObject *source,

 }

 static gboolean

-validate_membership_options (GVariant *options,

+validate_membership_options (EnrollClosure *enroll,

+                             GVariant *options,

                              GError **error)

 {

 	const gchar *software;

@@ -271,6 +272,12 @@ validate_membership_options (GVariant *options,

 		}

 	}

+	if (realm_option_use_ldaps (options)) {

+		realm_diagnostics_info (enroll->invocation,

+		                        "Membership software %s does "

+		                        "not support ldaps, trying without.",

+		                        software);

+	}

 	return TRUE;

 }

@@ -303,7 +310,7 @@ realm_samba_join_async (RealmKerberosMembership *membership,

 		g_task_return_new_error (task, REALM_ERROR, REALM_ERROR_ALREADY_CONFIGURED,

 		                         _("Already joined to a domain"));

-	} else if (!validate_membership_options (options, &error)) {

+	} else if (!validate_membership_options (enroll, options, &error)) {

 		g_task_return_error (task, error);

 	} else {

diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c

index 6b2f9f8..00a9093 100644

--- a/service/realm-sssd-ad.c

+++ b/service/realm-sssd-ad.c

@@ -98,6 +98,7 @@ typedef struct {

 	GVariant *options;

 	RealmDisco *disco;

 	gboolean use_adcli;

+	gboolean use_ldaps;

 	const gchar **packages;

 } JoinClosure;

@@ -294,6 +295,7 @@ on_install_do_join (GObject *source,

 			realm_adcli_enroll_join_async (join->disco,

 			                               join->cred,

 			                               join->options,

+			                               join->use_ldaps,

 			                               join->invocation,

 			                               on_join_do_sssd,

 			                               g_object_ref (task));

@@ -347,6 +349,19 @@ parse_join_options (JoinClosure *join,

 			return FALSE;

 		}

+	/*

+	 * Check if ldaps should be used and if membership software supports

+	 * it.

+	 */

+	join->use_ldaps = realm_option_use_ldaps (options);

+	if (join->use_ldaps &&

+	           g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {

+		realm_diagnostics_info (join->invocation,

+		                        "Membership software %s does "

+		                        "not support ldaps, trying "

+		                        "without.", software);

+	}

+

 	/*

 	 * If we are enrolling with a user password, then we have to use samba,

 	 * adcli only supports admin passwords.

@@ -523,6 +538,7 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,

 	GTask *task;

 	LeaveClosure *leave;

 	gchar *tags;

+	gboolean use_ldaps = FALSE;

 	task = g_task_new (self, NULL, callback, user_data);

@@ -551,10 +567,19 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,

 		leave->invocation = g_object_ref (invocation);

 		leave->use_adcli = strstr (tags ? tags : "", "joined-with-adcli") ? TRUE : FALSE;

 		g_task_set_task_data (task, leave, leave_closure_free);

+

+		use_ldaps = realm_option_use_ldaps (options);

 		if (leave->use_adcli) {

-			realm_adcli_enroll_delete_async (disco, cred, options, invocation,

+			realm_adcli_enroll_delete_async (disco, cred, options,

+			                                 use_ldaps,  invocation,

 			                                 on_leave_do_deconfigure, g_object_ref (task));

 		} else {

+			if (use_ldaps) {

+				realm_diagnostics_info (leave->invocation,

+				                        "Membership software does "

+				                        "not support ldaps, trying "

+				                        "without.");

+			}

 			realm_samba_enroll_leave_async (disco, cred, options, invocation,

 			                                on_leave_do_deconfigure, g_object_ref (task));

 		}

-- 

2.26.2