Blame SOURCES/0003-service-make-TLS-check-more-releaxed.patch

3eb28c
From 3e4c42094c9660c710f544e31c49ff38180c7675 Mon Sep 17 00:00:00 2001
3eb28c
From: Sumit Bose <sbose@redhat.com>
3eb28c
Date: Wed, 2 Dec 2020 10:10:37 +0100
3eb28c
Subject: [PATCH 3/3] service: make TLS check more releaxed
3eb28c
3eb28c
Since realmd is most often the first application called to discover a
3eb28c
domain we do not require a strict certificate check when using the ldaps
3eb28c
port to connect to a domain controller.
3eb28c
3eb28c
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
3eb28c
---
3eb28c
 doc/manual/realm.xml |  8 +++++++-
3eb28c
 service/realm-ldap.c | 32 +++++++++++++++++++++++++++++++-
3eb28c
 2 files changed, 38 insertions(+), 2 deletions(-)
3eb28c
3eb28c
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
3eb28c
index 01af62e..d7d8e5e 100644
3eb28c
--- a/doc/manual/realm.xml
3eb28c
+++ b/doc/manual/realm.xml
3eb28c
@@ -293,7 +293,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
3eb28c
 			which offers a comparable level of security than ldaps.
3eb28c
 			This option is only needed if the standard LDAP port
3eb28c
 			(389/tcp) is blocked by a firewall and only the LDAPS
3eb28c
-			port (636/tcp) is available.</para>
3eb28c
+			port (636/tcp) is available. Given that and to lower
3eb28c
+			the initial effort to discover a remote domain
3eb28c
+			<command>realmd</command> does not require a strict
3eb28c
+			certificate check. If the validation of the LDAP server
3eb28c
+			certificate fails <command>realmd</command> will
3eb28c
+			continue to setup the encrypted connection to the LDAP
3eb28c
+			server.</para>
3eb28c
 
3eb28c
 			<para>If this option is set to
3eb28c
 			<parameter>yes</parameter> <command>realmd</command>
3eb28c
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
3eb28c
index e07a299..bdfb96c 100644
3eb28c
--- a/service/realm-ldap.c
3eb28c
+++ b/service/realm-ldap.c
3eb28c
@@ -199,6 +199,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
3eb28c
 	gint port;
3eb28c
 	gchar *url;
3eb28c
 	int rc;
3eb28c
+	int opt_rc;
3eb28c
+	int ldap_opt_val;
3eb28c
+	const char *errmsg = NULL;
3eb28c
 
3eb28c
 	g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
3eb28c
 
3eb28c
@@ -264,9 +267,36 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
3eb28c
 		}
3eb28c
 
3eb28c
 		if (use_ldaps) {
3eb28c
+			/* Since we currently use the IP address in the URI
3eb28c
+			 * the certificate check might fail because in most
3eb28c
+			 * cases the IP address won't be listed in the SANs of
3eb28c
+			 * the LDAP server certificate. We will try to
3eb28c
+			 * continue in this case and not fail. */
3eb28c
+			ldap_opt_val = LDAP_OPT_X_TLS_ALLOW;
3eb28c
+			rc = ldap_set_option (ls->ldap,
3eb28c
+			                       LDAP_OPT_X_TLS_REQUIRE_CERT,
3eb28c
+			                       &ldap_opt_val);
3eb28c
+			if (rc != LDAP_OPT_SUCCESS) {
3eb28c
+				g_debug ("Failed to disable certificate checking, trying without");
3eb28c
+			}
3eb28c
+
3eb28c
+			ldap_opt_val = 0;
3eb28c
+			rc = ldap_set_option (ls->ldap, LDAP_OPT_X_TLS_NEWCTX,
3eb28c
+			                       &ldap_opt_val);
3eb28c
+			if (rc != LDAP_OPT_SUCCESS) {
3eb28c
+				g_debug ("Failed to refresh LDAP context for TLS, trying without");
3eb28c
+			}
3eb28c
+
3eb28c
 			rc = ldap_install_tls (ls->ldap);
3eb28c
 			if (rc != LDAP_SUCCESS) {
3eb28c
-				g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc));
3eb28c
+				opt_rc = ldap_get_option (ls->ldap,
3eb28c
+				                          LDAP_OPT_DIAGNOSTIC_MESSAGE,
3eb28c
+				                          (void *) &errmsg);
3eb28c
+				if (opt_rc != LDAP_SUCCESS) {
3eb28c
+					errmsg = "- no details -";
3eb28c
+				}
3eb28c
+				g_warning ("ldap_start_tls_s() failed [%s]: %s",
3eb28c
+				           ldap_err2string (rc), errmsg);
3eb28c
 				return NULL;
3eb28c
 			}
3eb28c
 		}
3eb28c
-- 
3eb28c
2.28.0
3eb28c