From ae247ae2ad87858741d64341633cd4e74f72e873 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 13:28:52 +0100
Subject: [PATCH 3/6] service: add ldaps support when using adcli
Call adcli with the --use-ldaps option if the realmd service is
requested to do so.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
service/realm-adcli-enroll.c | 10 ++++++++++
service/realm-adcli-enroll.h | 2 ++
service/realm-samba.c | 11 +++++++++--
service/realm-sssd-ad.c | 27 ++++++++++++++++++++++++++-
4 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
index 05947fa..2731283 100644
--- a/service/realm-adcli-enroll.c
+++ b/service/realm-adcli-enroll.c
@@ -68,6 +68,7 @@ void
realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data)
@@ -102,6 +103,10 @@ realm_adcli_enroll_join_async (RealmDisco *disco,
g_ptr_array_add (args, "--domain-realm");
g_ptr_array_add (args, (gpointer)disco->kerberos_realm);
+ if (use_ldaps) {
+ g_ptr_array_add (args, "--use-ldaps");
+ }
+
if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
server_arg = g_inet_address_to_string (address);
@@ -218,6 +223,7 @@ void
realm_adcli_enroll_delete_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data)
@@ -246,6 +252,10 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
g_ptr_array_add (args, "--domain-realm");
g_ptr_array_add (args, (gpointer)disco->kerberos_realm);
+ if (use_ldaps) {
+ g_ptr_array_add (args, "--use-ldaps");
+ }
+
if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) {
address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address));
server_arg = g_inet_address_to_string (address);
diff --git a/service/realm-adcli-enroll.h b/service/realm-adcli-enroll.h
index 855b2f7..3f535d0 100644
--- a/service/realm-adcli-enroll.h
+++ b/service/realm-adcli-enroll.h
@@ -29,6 +29,7 @@ G_BEGIN_DECLS
void realm_adcli_enroll_join_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data);
@@ -39,6 +40,7 @@ gboolean realm_adcli_enroll_join_finish (GAsyncResult *result,
void realm_adcli_enroll_delete_async (RealmDisco *disco,
RealmCredential *cred,
GVariant *options,
+ gboolean use_ldaps,
GDBusMethodInvocation *invocation,
GAsyncReadyCallback callback,
gpointer user_data);
diff --git a/service/realm-samba.c b/service/realm-samba.c
index e7b80a0..7aa5416 100644
--- a/service/realm-samba.c
+++ b/service/realm-samba.c
@@ -257,7 +257,8 @@ on_install_do_join (GObject *source,
}
static gboolean
-validate_membership_options (GVariant *options,
+validate_membership_options (EnrollClosure *enroll,
+ GVariant *options,
GError **error)
{
const gchar *software;
@@ -271,6 +272,12 @@ validate_membership_options (GVariant *options,
}
}
+ if (realm_option_use_ldaps (options)) {
+ realm_diagnostics_info (enroll->invocation,
+ "Membership software %s does "
+ "not support ldaps, trying without.",
+ software);
+ }
return TRUE;
}
@@ -303,7 +310,7 @@ realm_samba_join_async (RealmKerberosMembership *membership,
g_task_return_new_error (task, REALM_ERROR, REALM_ERROR_ALREADY_CONFIGURED,
_("Already joined to a domain"));
- } else if (!validate_membership_options (options, &error)) {
+ } else if (!validate_membership_options (enroll, options, &error)) {
g_task_return_error (task, error);
} else {
diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
index 6b2f9f8..00a9093 100644
--- a/service/realm-sssd-ad.c
+++ b/service/realm-sssd-ad.c
@@ -98,6 +98,7 @@ typedef struct {
GVariant *options;
RealmDisco *disco;
gboolean use_adcli;
+ gboolean use_ldaps;
const gchar **packages;
} JoinClosure;
@@ -294,6 +295,7 @@ on_install_do_join (GObject *source,
realm_adcli_enroll_join_async (join->disco,
join->cred,
join->options,
+ join->use_ldaps,
join->invocation,
on_join_do_sssd,
g_object_ref (task));
@@ -347,6 +349,19 @@ parse_join_options (JoinClosure *join,
return FALSE;
}
+ /*
+ * Check if ldaps should be used and if membership software supports
+ * it.
+ */
+ join->use_ldaps = realm_option_use_ldaps (options);
+ if (join->use_ldaps &&
+ g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
+ realm_diagnostics_info (join->invocation,
+ "Membership software %s does "
+ "not support ldaps, trying "
+ "without.", software);
+ }
+
/*
* If we are enrolling with a user password, then we have to use samba,
* adcli only supports admin passwords.
@@ -523,6 +538,7 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,
GTask *task;
LeaveClosure *leave;
gchar *tags;
+ gboolean use_ldaps = FALSE;
task = g_task_new (self, NULL, callback, user_data);
@@ -551,10 +567,19 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership,
leave->invocation = g_object_ref (invocation);
leave->use_adcli = strstr (tags ? tags : "", "joined-with-adcli") ? TRUE : FALSE;
g_task_set_task_data (task, leave, leave_closure_free);
+
+ use_ldaps = realm_option_use_ldaps (options);
if (leave->use_adcli) {
- realm_adcli_enroll_delete_async (disco, cred, options, invocation,
+ realm_adcli_enroll_delete_async (disco, cred, options,
+ use_ldaps, invocation,
on_leave_do_deconfigure, g_object_ref (task));
} else {
+ if (use_ldaps) {
+ realm_diagnostics_info (leave->invocation,
+ "Membership software does "
+ "not support ldaps, trying "
+ "without.");
+ }
realm_samba_enroll_leave_async (disco, cred, options, invocation,
on_leave_do_deconfigure, g_object_ref (task));
}
--
2.26.2