|
|
86624f |
From 3e4c42094c9660c710f544e31c49ff38180c7675 Mon Sep 17 00:00:00 2001
|
|
|
86624f |
From: Sumit Bose <sbose@redhat.com>
|
|
|
86624f |
Date: Wed, 2 Dec 2020 10:10:37 +0100
|
|
|
86624f |
Subject: [PATCH 3/3] service: make TLS check more releaxed
|
|
|
86624f |
|
|
|
86624f |
Since realmd is most often the first application called to discover a
|
|
|
86624f |
domain we do not require a strict certificate check when using the ldaps
|
|
|
86624f |
port to connect to a domain controller.
|
|
|
86624f |
|
|
|
86624f |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
|
|
|
86624f |
---
|
|
|
86624f |
doc/manual/realm.xml | 8 +++++++-
|
|
|
86624f |
service/realm-ldap.c | 32 +++++++++++++++++++++++++++++++-
|
|
|
86624f |
2 files changed, 38 insertions(+), 2 deletions(-)
|
|
|
86624f |
|
|
|
86624f |
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
|
|
|
86624f |
index 01af62e..d7d8e5e 100644
|
|
|
86624f |
--- a/doc/manual/realm.xml
|
|
|
86624f |
+++ b/doc/manual/realm.xml
|
|
|
86624f |
@@ -293,7 +293,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
|
|
86624f |
which offers a comparable level of security than ldaps.
|
|
|
86624f |
This option is only needed if the standard LDAP port
|
|
|
86624f |
(389/tcp) is blocked by a firewall and only the LDAPS
|
|
|
86624f |
- port (636/tcp) is available.</para>
|
|
|
86624f |
+ port (636/tcp) is available. Given that and to lower
|
|
|
86624f |
+ the initial effort to discover a remote domain
|
|
|
86624f |
+ <command>realmd</command> does not require a strict
|
|
|
86624f |
+ certificate check. If the validation of the LDAP server
|
|
|
86624f |
+ certificate fails <command>realmd</command> will
|
|
|
86624f |
+ continue to setup the encrypted connection to the LDAP
|
|
|
86624f |
+ server.</para>
|
|
|
86624f |
|
|
|
86624f |
<para>If this option is set to
|
|
|
86624f |
<parameter>yes</parameter> <command>realmd</command>
|
|
|
86624f |
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
|
|
|
86624f |
index e07a299..bdfb96c 100644
|
|
|
86624f |
--- a/service/realm-ldap.c
|
|
|
86624f |
+++ b/service/realm-ldap.c
|
|
|
86624f |
@@ -199,6 +199,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
|
|
86624f |
gint port;
|
|
|
86624f |
gchar *url;
|
|
|
86624f |
int rc;
|
|
|
86624f |
+ int opt_rc;
|
|
|
86624f |
+ int ldap_opt_val;
|
|
|
86624f |
+ const char *errmsg = NULL;
|
|
|
86624f |
|
|
|
86624f |
g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
|
|
|
86624f |
|
|
|
86624f |
@@ -264,9 +267,36 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
|
|
86624f |
}
|
|
|
86624f |
|
|
|
86624f |
if (use_ldaps) {
|
|
|
86624f |
+ /* Since we currently use the IP address in the URI
|
|
|
86624f |
+ * the certificate check might fail because in most
|
|
|
86624f |
+ * cases the IP address won't be listed in the SANs of
|
|
|
86624f |
+ * the LDAP server certificate. We will try to
|
|
|
86624f |
+ * continue in this case and not fail. */
|
|
|
86624f |
+ ldap_opt_val = LDAP_OPT_X_TLS_ALLOW;
|
|
|
86624f |
+ rc = ldap_set_option (ls->ldap,
|
|
|
86624f |
+ LDAP_OPT_X_TLS_REQUIRE_CERT,
|
|
|
86624f |
+ &ldap_opt_val);
|
|
|
86624f |
+ if (rc != LDAP_OPT_SUCCESS) {
|
|
|
86624f |
+ g_debug ("Failed to disable certificate checking, trying without");
|
|
|
86624f |
+ }
|
|
|
86624f |
+
|
|
|
86624f |
+ ldap_opt_val = 0;
|
|
|
86624f |
+ rc = ldap_set_option (ls->ldap, LDAP_OPT_X_TLS_NEWCTX,
|
|
|
86624f |
+ &ldap_opt_val);
|
|
|
86624f |
+ if (rc != LDAP_OPT_SUCCESS) {
|
|
|
86624f |
+ g_debug ("Failed to refresh LDAP context for TLS, trying without");
|
|
|
86624f |
+ }
|
|
|
86624f |
+
|
|
|
86624f |
rc = ldap_install_tls (ls->ldap);
|
|
|
86624f |
if (rc != LDAP_SUCCESS) {
|
|
|
86624f |
- g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc));
|
|
|
86624f |
+ opt_rc = ldap_get_option (ls->ldap,
|
|
|
86624f |
+ LDAP_OPT_DIAGNOSTIC_MESSAGE,
|
|
|
86624f |
+ (void *) &errmsg);
|
|
|
86624f |
+ if (opt_rc != LDAP_SUCCESS) {
|
|
|
86624f |
+ errmsg = "- no details -";
|
|
|
86624f |
+ }
|
|
|
86624f |
+ g_warning ("ldap_start_tls_s() failed [%s]: %s",
|
|
|
86624f |
+ ldap_err2string (rc), errmsg);
|
|
|
86624f |
return NULL;
|
|
|
86624f |
}
|
|
|
86624f |
}
|
|
|
86624f |
--
|
|
|
86624f |
2.28.0
|
|
|
86624f |
|