From 13f302652f6069490dfde41dd33e5aaa17efa5e7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 17:22:13 +0100
Subject: [PATCH 5/6] tools: add --use-ldaps option for discover, join and
leave
Add --use-ldaps option to the realm command to be able to ask the realmd
service to use ldaps where possible.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
doc/manual/realm.xml | 34 ++++++++++++++++++++++++++++++++++
doc/manual/realmd.conf.xml | 21 +++++++++++++++++++++
tools/realm-client.c | 2 ++
tools/realm-client.h | 1 +
tools/realm-discover.c | 7 ++++++-
tools/realm-join.c | 6 +++++-
tools/realm-leave.c | 15 +++++++++++----
7 files changed, 80 insertions(+), 6 deletions(-)
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index e5d4608..01af62e 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -134,6 +134,11 @@ $ realm discover domain.example.com
Possible values include <replaceable>samba</replaceable> or
<replaceable>adcli</replaceable>. </para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>See option description in
+ <xref linkend="man-join"/>.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -276,6 +281,30 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
principal besides the AD default user principal can be
set.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>Use the ldaps port when connecting to AD
+ where possible. In general this option is not needed
+ because <command>realmd</command> itself only read
+ public information from the Active Directory domain
+ controller which is available anonymously. The
+ supported membership software products will use
+ encrypted connections protected with GSS-SPNEGO/GSSAPI
+ which offers a comparable level of security than ldaps.
+ This option is only needed if the standard LDAP port
+ (389/tcp) is blocked by a firewall and only the LDAPS
+ port (636/tcp) is available.</para>
+
+ <para>If this option is set to
+ <parameter>yes</parameter> <command>realmd</command>
+ will use the ldaps port when reading the rootDSE and
+ call the <command>adcli</command> membership software
+ with the option <option>--use-ldaps</option>. The Samba
+ base membership currently offers only deprecated ways
+ to enable ldaps. Support will be added in
+ <command>realmd</command> when a new way is available.
+ </para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -326,6 +355,11 @@ $ realm leave domain.example.com
with when leaving the realm. You will be prompted for a
password. Implies <option>--remove</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--use-ldaps</option></term>
+ <listitem><para>See option description in
+ <xref linkend="man-join"/>.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 97d2e8d..72b706c 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -141,6 +141,27 @@ domain.example.com
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>use-ldaps</option></term>
+ <listitem><para>Use the ldaps port when connecting to AD where possible.
+ In general this option is not needed because <command>realmd</command>
+ itself only read public information from the Active Directory domain
+ controller which is available anonymously. The supported membership
+ software products will use encrypted connections protected with
+ GSS-SPNEGO/GSSAPI which offers a comparable level of security than
+ ldaps. This option is only needed if the standard LDAP port (389/tcp)
+ is blocked by a firewall and only the LDAPS port (636/tcp) is
+ available.</para>
+
+ <para>If this option is set to <parameter>yes</parameter>
+ <command>realmd</command> will use the ldaps port when reading the
+ rootDSE and call the <command>adcli</command> membership software with
+ the option <option>--use-ldaps</option>. The Samba base membership
+ currently offers only deprecated ways to enable ldaps. Support will be
+ added in <command>realmd</command> when a new way is available.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>os-name</option></term>
<listitem><para>(see below)</para></listitem>
diff --git a/tools/realm-client.c b/tools/realm-client.c
index 2f102db..c386e64 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -353,6 +353,7 @@ realm_client_get_provider (RealmClient *self)
GList *
realm_client_discover (RealmClient *self,
const gchar *string,
+ gboolean use_ldaps,
const gchar *client_software,
const gchar *server_software,
const gchar *membership_software,
@@ -381,6 +382,7 @@ realm_client_discover (RealmClient *self,
options = realm_build_options (REALM_DBUS_OPTION_CLIENT_SOFTWARE, client_software,
REALM_DBUS_OPTION_SERVER_SOFTWARE, server_software,
REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, membership_software,
+ REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
NULL);
/* Start actual operation */
diff --git a/tools/realm-client.h b/tools/realm-client.h
index 5ecf2de..e9e50cd 100644
--- a/tools/realm-client.h
+++ b/tools/realm-client.h
@@ -40,6 +40,7 @@ RealmDbusProvider * realm_client_get_provider (RealmClien
GList * realm_client_discover (RealmClient *self,
const gchar *string,
+ gboolean use_ldaps,
const gchar *client_software,
const gchar *server_software,
const gchar *membership_software,
diff --git a/tools/realm-discover.c b/tools/realm-discover.c
index 8dde4ed..c0acd79 100644
--- a/tools/realm-discover.c
+++ b/tools/realm-discover.c
@@ -116,6 +116,7 @@ perform_discover (RealmClient *client,
const gchar *string,
gboolean all,
gboolean name_only,
+ gboolean use_ldaps,
const gchar *server_software,
const gchar *client_software,
const gchar *membership_software)
@@ -127,7 +128,7 @@ perform_discover (RealmClient *client,
GList *realms;
GList *l;
- realms = realm_client_discover (client, string, client_software,
+ realms = realm_client_discover (client, string, use_ldaps, client_software,
server_software, membership_software,
REALM_DBUS_REALM_INTERFACE, NULL, &error);
@@ -173,6 +174,7 @@ realm_discover (RealmClient *client,
GError *error = NULL;
gboolean arg_all = FALSE;
gboolean arg_name_only = FALSE;
+ gboolean arg_use_ldaps = FALSE;
gint result = 0;
gint ret;
gint i;
@@ -183,6 +185,7 @@ realm_discover (RealmClient *client,
{ "client-software", 0, 0, G_OPTION_ARG_STRING, &arg_client_software, N_("Use specific client software"), NULL },
{ "membership-software", 0, 0, G_OPTION_ARG_STRING, &arg_membership_software, N_("Use specific membership software"), NULL },
{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, N_("Use specific server software"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
{ NULL, }
};
@@ -200,6 +203,7 @@ realm_discover (RealmClient *client,
} else if (argc == 1) {
result = perform_discover (client, NULL, arg_all,
arg_name_only,
+ arg_use_ldaps,
arg_server_software,
arg_client_software,
arg_membership_software);
@@ -209,6 +213,7 @@ realm_discover (RealmClient *client,
for (i = 1; i < argc; i++) {
ret = perform_discover (client, argv[i], arg_all,
arg_name_only,
+ arg_use_ldaps,
arg_server_software,
arg_client_software,
arg_membership_software);
diff --git a/tools/realm-join.c b/tools/realm-join.c
index 249f502..dbe6197 100644
--- a/tools/realm-join.c
+++ b/tools/realm-join.c
@@ -179,6 +179,7 @@ typedef struct {
gchar *user_principal;
gboolean automatic_id_mapping_set;
gboolean automatic_id_mapping;
+ gboolean use_ldaps;
} RealmJoinArgs;
static void
@@ -218,7 +219,7 @@ perform_join (RealmClient *client,
GList *realms;
gint ret;
- realms = realm_client_discover (client, string, args->client_software,
+ realms = realm_client_discover (client, string, args->use_ldaps, args->client_software,
args->server_software, args->membership_software,
REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE,
&had_mismatched, &error);
@@ -247,6 +248,7 @@ perform_join (RealmClient *client,
REALM_DBUS_OPTION_OS_VERSION, args->os_version,
REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal,
+ REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
args->automatic_id_mapping_set ?
REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING : NULL,
args->automatic_id_mapping,
@@ -310,6 +312,8 @@ realm_join (RealmClient *client,
N_("User name to use for enrollment"), NULL },
{ "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
N_("Set the user principal for the computer account"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
+ N_("Use ldaps to connect to LDAP"), NULL },
{ NULL, }
};
diff --git a/tools/realm-leave.c b/tools/realm-leave.c
index 45a9c46..c88a110 100644
--- a/tools/realm-leave.c
+++ b/tools/realm-leave.c
@@ -185,6 +185,7 @@ perform_deconfigure (RealmClient *client,
static int
perform_user_leave (RealmClient *client,
+ gboolean use_ldaps,
RealmDbusKerberosMembership *membership,
const gchar *user_name)
{
@@ -201,7 +202,8 @@ perform_user_leave (RealmClient *client,
return 1;
}
- options = realm_build_options(NULL, NULL);
+ options = realm_build_options (REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
+ NULL);
ret = call_leave (membership, credentials, options, &error);
if (error != NULL)
@@ -213,6 +215,7 @@ perform_user_leave (RealmClient *client,
static int
perform_leave (RealmClient *client,
const gchar *realm_name,
+ gboolean use_ldaps,
gboolean remove,
const gchar *user_name,
const gchar *client_software,
@@ -239,7 +242,8 @@ perform_leave (RealmClient *client,
if (!remove)
ret = perform_deconfigure (client, realm);
else
- ret = perform_user_leave (client, membership, user_name);
+ ret = perform_user_leave (client, use_ldaps, membership,
+ user_name);
g_object_unref (membership);
g_object_unref (realm);
@@ -259,6 +263,7 @@ realm_leave (RealmClient *client,
gchar *arg_server_software = NULL;
GError *error = NULL;
const gchar *realm_name;
+ gboolean arg_use_ldaps = FALSE;
gint ret = 0;
GOptionEntry option_entries[] = {
@@ -268,6 +273,7 @@ realm_leave (RealmClient *client,
{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software,
N_("Use specific server software"), NULL },
{ "user", 'U', 0, G_OPTION_ARG_STRING, &arg_user, N_("User name to use for removal"), NULL },
+ { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
{ NULL, }
};
@@ -283,8 +289,9 @@ realm_leave (RealmClient *client,
} else {
realm_name = argc < 2 ? NULL : argv[1];
- ret = perform_leave (client, realm_name, arg_remove, arg_user,
- arg_client_software, arg_server_software);
+ ret = perform_leave (client, realm_name, arg_use_ldaps,
+ arg_remove, arg_user, arg_client_software,
+ arg_server_software);
}
g_free (arg_user);
--
2.26.2