|
 |
cd9052 |
From 13f302652f6069490dfde41dd33e5aaa17efa5e7 Mon Sep 17 00:00:00 2001
|
|
|
cd9052 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
cd9052 |
Date: Fri, 30 Oct 2020 17:22:13 +0100
|
|
|
cd9052 |
Subject: [PATCH 5/6] tools: add --use-ldaps option for discover, join and
|
|
|
cd9052 |
leave
|
|
|
cd9052 |
|
|
|
cd9052 |
Add --use-ldaps option to the realm command to be able to ask the realmd
|
|
|
cd9052 |
service to use ldaps where possible.
|
|
|
cd9052 |
|
|
|
cd9052 |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
|
|
|
cd9052 |
---
|
|
|
cd9052 |
doc/manual/realm.xml | 34 ++++++++++++++++++++++++++++++++++
|
|
|
cd9052 |
doc/manual/realmd.conf.xml | 21 +++++++++++++++++++++
|
|
|
cd9052 |
tools/realm-client.c | 2 ++
|
|
|
cd9052 |
tools/realm-client.h | 1 +
|
|
|
cd9052 |
tools/realm-discover.c | 7 ++++++-
|
|
|
cd9052 |
tools/realm-join.c | 6 +++++-
|
|
|
cd9052 |
tools/realm-leave.c | 15 +++++++++++----
|
|
|
cd9052 |
7 files changed, 80 insertions(+), 6 deletions(-)
|
|
|
cd9052 |
|
|
|
cd9052 |
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
|
|
|
cd9052 |
index e5d4608..01af62e 100644
|
|
|
cd9052 |
--- a/doc/manual/realm.xml
|
|
|
cd9052 |
+++ b/doc/manual/realm.xml
|
|
|
cd9052 |
@@ -134,6 +134,11 @@ $ realm discover domain.example.com
|
|
|
cd9052 |
Possible values include <replaceable>samba</replaceable> or
|
|
|
cd9052 |
<replaceable>adcli</replaceable>. </para></listitem>
|
|
|
cd9052 |
</varlistentry>
|
|
|
cd9052 |
+ <varlistentry>
|
|
|
cd9052 |
+ <term><option>--use-ldaps</option></term>
|
|
|
cd9052 |
+ <listitem><para>See option description in
|
|
|
cd9052 |
+ <xref linkend="man-join"/>.</para></listitem>
|
|
|
cd9052 |
+ </varlistentry>
|
|
|
cd9052 |
</variablelist>
|
|
|
cd9052 |
|
|
|
cd9052 |
</refsect1>
|
|
|
cd9052 |
@@ -276,6 +281,30 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
|
|
|
cd9052 |
principal besides the AD default user principal can be
|
|
|
cd9052 |
set.</para></listitem>
|
|
|
cd9052 |
</varlistentry>
|
|
|
cd9052 |
+ <varlistentry>
|
|
|
cd9052 |
+ <term><option>--use-ldaps</option></term>
|
|
|
cd9052 |
+ <listitem><para>Use the ldaps port when connecting to AD
|
|
|
cd9052 |
+ where possible. In general this option is not needed
|
|
|
cd9052 |
+ because <command>realmd</command> itself only read
|
|
|
cd9052 |
+ public information from the Active Directory domain
|
|
|
cd9052 |
+ controller which is available anonymously. The
|
|
|
cd9052 |
+ supported membership software products will use
|
|
|
cd9052 |
+ encrypted connections protected with GSS-SPNEGO/GSSAPI
|
|
|
cd9052 |
+ which offers a comparable level of security than ldaps.
|
|
|
cd9052 |
+ This option is only needed if the standard LDAP port
|
|
|
cd9052 |
+ (389/tcp) is blocked by a firewall and only the LDAPS
|
|
|
cd9052 |
+ port (636/tcp) is available.</para>
|
|
|
cd9052 |
+
|
|
|
cd9052 |
+ <para>If this option is set to
|
|
|
cd9052 |
+ <parameter>yes</parameter> <command>realmd</command>
|
|
|
cd9052 |
+ will use the ldaps port when reading the rootDSE and
|
|
|
cd9052 |
+ call the <command>adcli</command> membership software
|
|
|
cd9052 |
+ with the option <option>--use-ldaps</option>. The Samba
|
|
|
cd9052 |
+ base membership currently offers only deprecated ways
|
|
|
cd9052 |
+ to enable ldaps. Support will be added in
|
|
|
cd9052 |
+ <command>realmd</command> when a new way is available.
|
|
|
cd9052 |
+ </para></listitem>
|
|
|
cd9052 |
+ </varlistentry>
|
|
|
cd9052 |
</variablelist>
|
|
|
cd9052 |
|
|
|
cd9052 |
</refsect1>
|
|
|
cd9052 |
@@ -326,6 +355,11 @@ $ realm leave domain.example.com
|
|
|
cd9052 |
with when leaving the realm. You will be prompted for a
|
|
|
cd9052 |
password. Implies <option>--remove</option>.</para></listitem>
|
|
|
cd9052 |
</varlistentry>
|
|
|
cd9052 |
+ <varlistentry>
|
|
|
cd9052 |
+ <term><option>--use-ldaps</option></term>
|
|
|
cd9052 |
+ <listitem><para>See option description in
|
|
|
cd9052 |
+ <xref linkend="man-join"/>.</para></listitem>
|
|
|
cd9052 |
+ </varlistentry>
|
|
|
cd9052 |
</variablelist>
|
|
|
cd9052 |
|
|
|
cd9052 |
</refsect1>
|
|
|
cd9052 |
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
|
|
|
cd9052 |
index 97d2e8d..72b706c 100644
|
|
|
cd9052 |
--- a/doc/manual/realmd.conf.xml
|
|
|
cd9052 |
+++ b/doc/manual/realmd.conf.xml
|
|
|
cd9052 |
@@ -141,6 +141,27 @@ domain.example.com
|
|
|
cd9052 |
</listitem>
|
|
|
cd9052 |
</varlistentry>
|
|
|
cd9052 |
|
|
|
cd9052 |
+ <varlistentry>
|
|
|
cd9052 |
+ <term><option>use-ldaps</option></term>
|
|
|
cd9052 |
+ <listitem><para>Use the ldaps port when connecting to AD where possible.
|
|
|
cd9052 |
+ In general this option is not needed because <command>realmd</command>
|
|
|
cd9052 |
+ itself only read public information from the Active Directory domain
|
|
|
cd9052 |
+ controller which is available anonymously. The supported membership
|
|
|
cd9052 |
+ software products will use encrypted connections protected with
|
|
|
cd9052 |
+ GSS-SPNEGO/GSSAPI which offers a comparable level of security than
|
|
|
cd9052 |
+ ldaps. This option is only needed if the standard LDAP port (389/tcp)
|
|
|
cd9052 |
+ is blocked by a firewall and only the LDAPS port (636/tcp) is
|
|
|
cd9052 |
+ available.</para>
|
|
|
cd9052 |
+
|
|
|
cd9052 |
+ <para>If this option is set to <parameter>yes</parameter>
|
|
|
cd9052 |
+ <command>realmd</command> will use the ldaps port when reading the
|
|
|
cd9052 |
+ rootDSE and call the <command>adcli</command> membership software with
|
|
|
cd9052 |
+ the option <option>--use-ldaps</option>. The Samba base membership
|
|
|
cd9052 |
+ currently offers only deprecated ways to enable ldaps. Support will be
|
|
|
cd9052 |
+ added in <command>realmd</command> when a new way is available.</para>
|
|
|
cd9052 |
+ </listitem>
|
|
|
cd9052 |
+ </varlistentry>
|
|
|
cd9052 |
+
|
|
|
cd9052 |
<varlistentry>
|
|
|
cd9052 |
<term><option>os-name</option></term>
|
|
|
cd9052 |
<listitem><para>(see below)</para></listitem>
|
|
|
cd9052 |
diff --git a/tools/realm-client.c b/tools/realm-client.c
|
|
|
cd9052 |
index 2f102db..c386e64 100644
|
|
|
cd9052 |
--- a/tools/realm-client.c
|
|
|
cd9052 |
+++ b/tools/realm-client.c
|
|
|
cd9052 |
@@ -353,6 +353,7 @@ realm_client_get_provider (RealmClient *self)
|
|
|
cd9052 |
GList *
|
|
|
cd9052 |
realm_client_discover (RealmClient *self,
|
|
|
cd9052 |
const gchar *string,
|
|
|
cd9052 |
+ gboolean use_ldaps,
|
|
|
cd9052 |
const gchar *client_software,
|
|
|
cd9052 |
const gchar *server_software,
|
|
|
cd9052 |
const gchar *membership_software,
|
|
|
cd9052 |
@@ -381,6 +382,7 @@ realm_client_discover (RealmClient *self,
|
|
|
cd9052 |
options = realm_build_options (REALM_DBUS_OPTION_CLIENT_SOFTWARE, client_software,
|
|
|
cd9052 |
REALM_DBUS_OPTION_SERVER_SOFTWARE, server_software,
|
|
|
cd9052 |
REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, membership_software,
|
|
|
cd9052 |
+ REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
|
|
|
cd9052 |
NULL);
|
|
|
cd9052 |
|
|
|
cd9052 |
/* Start actual operation */
|
|
|
cd9052 |
diff --git a/tools/realm-client.h b/tools/realm-client.h
|
|
|
cd9052 |
index 5ecf2de..e9e50cd 100644
|
|
|
cd9052 |
--- a/tools/realm-client.h
|
|
|
cd9052 |
+++ b/tools/realm-client.h
|
|
|
cd9052 |
@@ -40,6 +40,7 @@ RealmDbusProvider * realm_client_get_provider (RealmClien
|
|
|
cd9052 |
|
|
|
cd9052 |
GList * realm_client_discover (RealmClient *self,
|
|
|
cd9052 |
const gchar *string,
|
|
|
cd9052 |
+ gboolean use_ldaps,
|
|
|
cd9052 |
const gchar *client_software,
|
|
|
cd9052 |
const gchar *server_software,
|
|
|
cd9052 |
const gchar *membership_software,
|
|
|
cd9052 |
diff --git a/tools/realm-discover.c b/tools/realm-discover.c
|
|
|
cd9052 |
index 8dde4ed..c0acd79 100644
|
|
|
cd9052 |
--- a/tools/realm-discover.c
|
|
|
cd9052 |
+++ b/tools/realm-discover.c
|
|
|
cd9052 |
@@ -116,6 +116,7 @@ perform_discover (RealmClient *client,
|
|
|
cd9052 |
const gchar *string,
|
|
|
cd9052 |
gboolean all,
|
|
|
cd9052 |
gboolean name_only,
|
|
|
cd9052 |
+ gboolean use_ldaps,
|
|
|
cd9052 |
const gchar *server_software,
|
|
|
cd9052 |
const gchar *client_software,
|
|
|
cd9052 |
const gchar *membership_software)
|
|
|
cd9052 |
@@ -127,7 +128,7 @@ perform_discover (RealmClient *client,
|
|
|
cd9052 |
GList *realms;
|
|
|
cd9052 |
GList *l;
|
|
|
cd9052 |
|
|
|
cd9052 |
- realms = realm_client_discover (client, string, client_software,
|
|
|
cd9052 |
+ realms = realm_client_discover (client, string, use_ldaps, client_software,
|
|
|
cd9052 |
server_software, membership_software,
|
|
|
cd9052 |
REALM_DBUS_REALM_INTERFACE, NULL, &error);
|
|
|
cd9052 |
|
|
|
cd9052 |
@@ -173,6 +174,7 @@ realm_discover (RealmClient *client,
|
|
|
cd9052 |
GError *error = NULL;
|
|
|
cd9052 |
gboolean arg_all = FALSE;
|
|
|
cd9052 |
gboolean arg_name_only = FALSE;
|
|
|
cd9052 |
+ gboolean arg_use_ldaps = FALSE;
|
|
|
cd9052 |
gint result = 0;
|
|
|
cd9052 |
gint ret;
|
|
|
cd9052 |
gint i;
|
|
|
cd9052 |
@@ -183,6 +185,7 @@ realm_discover (RealmClient *client,
|
|
|
cd9052 |
{ "client-software", 0, 0, G_OPTION_ARG_STRING, &arg_client_software, N_("Use specific client software"), NULL },
|
|
|
cd9052 |
{ "membership-software", 0, 0, G_OPTION_ARG_STRING, &arg_membership_software, N_("Use specific membership software"), NULL },
|
|
|
cd9052 |
{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, N_("Use specific server software"), NULL },
|
|
|
cd9052 |
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
|
|
|
cd9052 |
{ NULL, }
|
|
|
cd9052 |
};
|
|
|
cd9052 |
|
|
|
cd9052 |
@@ -200,6 +203,7 @@ realm_discover (RealmClient *client,
|
|
|
cd9052 |
} else if (argc == 1) {
|
|
|
cd9052 |
result = perform_discover (client, NULL, arg_all,
|
|
|
cd9052 |
arg_name_only,
|
|
|
cd9052 |
+ arg_use_ldaps,
|
|
|
cd9052 |
arg_server_software,
|
|
|
cd9052 |
arg_client_software,
|
|
|
cd9052 |
arg_membership_software);
|
|
|
cd9052 |
@@ -209,6 +213,7 @@ realm_discover (RealmClient *client,
|
|
|
cd9052 |
for (i = 1; i < argc; i++) {
|
|
|
cd9052 |
ret = perform_discover (client, argv[i], arg_all,
|
|
|
cd9052 |
arg_name_only,
|
|
|
cd9052 |
+ arg_use_ldaps,
|
|
|
cd9052 |
arg_server_software,
|
|
|
cd9052 |
arg_client_software,
|
|
|
cd9052 |
arg_membership_software);
|
|
|
cd9052 |
diff --git a/tools/realm-join.c b/tools/realm-join.c
|
|
|
cd9052 |
index 249f502..dbe6197 100644
|
|
|
cd9052 |
--- a/tools/realm-join.c
|
|
|
cd9052 |
+++ b/tools/realm-join.c
|
|
|
cd9052 |
@@ -179,6 +179,7 @@ typedef struct {
|
|
|
cd9052 |
gchar *user_principal;
|
|
|
cd9052 |
gboolean automatic_id_mapping_set;
|
|
|
cd9052 |
gboolean automatic_id_mapping;
|
|
|
cd9052 |
+ gboolean use_ldaps;
|
|
|
cd9052 |
} RealmJoinArgs;
|
|
|
cd9052 |
|
|
|
cd9052 |
static void
|
|
|
cd9052 |
@@ -218,7 +219,7 @@ perform_join (RealmClient *client,
|
|
|
cd9052 |
GList *realms;
|
|
|
cd9052 |
gint ret;
|
|
|
cd9052 |
|
|
|
cd9052 |
- realms = realm_client_discover (client, string, args->client_software,
|
|
|
cd9052 |
+ realms = realm_client_discover (client, string, args->use_ldaps, args->client_software,
|
|
|
cd9052 |
args->server_software, args->membership_software,
|
|
|
cd9052 |
REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE,
|
|
|
cd9052 |
&had_mismatched, &error);
|
|
|
cd9052 |
@@ -247,6 +248,7 @@ perform_join (RealmClient *client,
|
|
|
cd9052 |
REALM_DBUS_OPTION_OS_VERSION, args->os_version,
|
|
|
cd9052 |
REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
|
|
|
cd9052 |
REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal,
|
|
|
cd9052 |
+ REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
|
|
|
cd9052 |
args->automatic_id_mapping_set ?
|
|
|
cd9052 |
REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING : NULL,
|
|
|
cd9052 |
args->automatic_id_mapping,
|
|
|
cd9052 |
@@ -310,6 +312,8 @@ realm_join (RealmClient *client,
|
|
|
cd9052 |
N_("User name to use for enrollment"), NULL },
|
|
|
cd9052 |
{ "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
|
|
|
cd9052 |
N_("Set the user principal for the computer account"), NULL },
|
|
|
cd9052 |
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
|
|
|
cd9052 |
+ N_("Use ldaps to connect to LDAP"), NULL },
|
|
|
cd9052 |
{ NULL, }
|
|
|
cd9052 |
};
|
|
|
cd9052 |
|
|
|
cd9052 |
diff --git a/tools/realm-leave.c b/tools/realm-leave.c
|
|
|
cd9052 |
index 45a9c46..c88a110 100644
|
|
|
cd9052 |
--- a/tools/realm-leave.c
|
|
|
cd9052 |
+++ b/tools/realm-leave.c
|
|
|
cd9052 |
@@ -185,6 +185,7 @@ perform_deconfigure (RealmClient *client,
|
|
|
cd9052 |
|
|
|
cd9052 |
static int
|
|
|
cd9052 |
perform_user_leave (RealmClient *client,
|
|
|
cd9052 |
+ gboolean use_ldaps,
|
|
|
cd9052 |
RealmDbusKerberosMembership *membership,
|
|
|
cd9052 |
const gchar *user_name)
|
|
|
cd9052 |
{
|
|
|
cd9052 |
@@ -201,7 +202,8 @@ perform_user_leave (RealmClient *client,
|
|
|
cd9052 |
return 1;
|
|
|
cd9052 |
}
|
|
|
cd9052 |
|
|
|
cd9052 |
- options = realm_build_options(NULL, NULL);
|
|
|
cd9052 |
+ options = realm_build_options (REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
|
|
|
cd9052 |
+ NULL);
|
|
|
cd9052 |
ret = call_leave (membership, credentials, options, &error);
|
|
|
cd9052 |
|
|
|
cd9052 |
if (error != NULL)
|
|
|
cd9052 |
@@ -213,6 +215,7 @@ perform_user_leave (RealmClient *client,
|
|
|
cd9052 |
static int
|
|
|
cd9052 |
perform_leave (RealmClient *client,
|
|
|
cd9052 |
const gchar *realm_name,
|
|
|
cd9052 |
+ gboolean use_ldaps,
|
|
|
cd9052 |
gboolean remove,
|
|
|
cd9052 |
const gchar *user_name,
|
|
|
cd9052 |
const gchar *client_software,
|
|
|
cd9052 |
@@ -239,7 +242,8 @@ perform_leave (RealmClient *client,
|
|
|
cd9052 |
if (!remove)
|
|
|
cd9052 |
ret = perform_deconfigure (client, realm);
|
|
|
cd9052 |
else
|
|
|
cd9052 |
- ret = perform_user_leave (client, membership, user_name);
|
|
|
cd9052 |
+ ret = perform_user_leave (client, use_ldaps, membership,
|
|
|
cd9052 |
+ user_name);
|
|
|
cd9052 |
|
|
|
cd9052 |
g_object_unref (membership);
|
|
|
cd9052 |
g_object_unref (realm);
|
|
|
cd9052 |
@@ -259,6 +263,7 @@ realm_leave (RealmClient *client,
|
|
|
cd9052 |
gchar *arg_server_software = NULL;
|
|
|
cd9052 |
GError *error = NULL;
|
|
|
cd9052 |
const gchar *realm_name;
|
|
|
cd9052 |
+ gboolean arg_use_ldaps = FALSE;
|
|
|
cd9052 |
gint ret = 0;
|
|
|
cd9052 |
|
|
|
cd9052 |
GOptionEntry option_entries[] = {
|
|
|
cd9052 |
@@ -268,6 +273,7 @@ realm_leave (RealmClient *client,
|
|
|
cd9052 |
{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software,
|
|
|
cd9052 |
N_("Use specific server software"), NULL },
|
|
|
cd9052 |
{ "user", 'U', 0, G_OPTION_ARG_STRING, &arg_user, N_("User name to use for removal"), NULL },
|
|
|
cd9052 |
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
|
|
|
cd9052 |
{ NULL, }
|
|
|
cd9052 |
};
|
|
|
cd9052 |
|
|
|
cd9052 |
@@ -283,8 +289,9 @@ realm_leave (RealmClient *client,
|
|
|
cd9052 |
|
|
|
cd9052 |
} else {
|
|
|
cd9052 |
realm_name = argc < 2 ? NULL : argv[1];
|
|
|
cd9052 |
- ret = perform_leave (client, realm_name, arg_remove, arg_user,
|
|
|
cd9052 |
- arg_client_software, arg_server_software);
|
|
|
cd9052 |
+ ret = perform_leave (client, realm_name, arg_use_ldaps,
|
|
|
cd9052 |
+ arg_remove, arg_user, arg_client_software,
|
|
|
cd9052 |
+ arg_server_software);
|
|
|
cd9052 |
}
|
|
|
cd9052 |
|
|
|
cd9052 |
g_free (arg_user);
|
|
|
cd9052 |
--
|
|
|
cd9052 |
2.26.2
|
|
|
cd9052 |
|