Blob Blame History Raw
From 13f302652f6069490dfde41dd33e5aaa17efa5e7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 30 Oct 2020 17:22:13 +0100
Subject: [PATCH 5/6] tools: add --use-ldaps option for discover, join and
 leave

Add --use-ldaps option to the realm command to be able to ask the realmd
service to use ldaps where possible.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
---
 doc/manual/realm.xml       | 34 ++++++++++++++++++++++++++++++++++
 doc/manual/realmd.conf.xml | 21 +++++++++++++++++++++
 tools/realm-client.c       |  2 ++
 tools/realm-client.h       |  1 +
 tools/realm-discover.c     |  7 ++++++-
 tools/realm-join.c         |  6 +++++-
 tools/realm-leave.c        | 15 +++++++++++----
 7 files changed, 80 insertions(+), 6 deletions(-)

diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
index e5d4608..01af62e 100644
--- a/doc/manual/realm.xml
+++ b/doc/manual/realm.xml
@@ -134,6 +134,11 @@ $ realm discover domain.example.com
 			Possible values include <replaceable>samba</replaceable> or
 			<replaceable>adcli</replaceable>. </para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--use-ldaps</option></term>
+			<listitem><para>See option description in
+			<xref linkend="man-join"/>.</para></listitem>
+		</varlistentry>
 	</variablelist>
 
 </refsect1>
@@ -276,6 +281,30 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
 			principal besides the AD default user principal can be
 			set.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--use-ldaps</option></term>
+			<listitem><para>Use the ldaps port when connecting to AD
+			where possible.  In general this option is not needed
+			because <command>realmd</command> itself only read
+			public information from the Active Directory domain
+			controller which is available anonymously. The
+			supported membership software products will use
+			encrypted connections protected with GSS-SPNEGO/GSSAPI
+			which offers a comparable level of security than ldaps.
+			This option is only needed if the standard LDAP port
+			(389/tcp) is blocked by a firewall and only the LDAPS
+			port (636/tcp) is available.</para>
+
+			<para>If this option is set to
+			<parameter>yes</parameter> <command>realmd</command>
+			will use the ldaps port when reading the rootDSE and
+			call the <command>adcli</command> membership software
+			with the option <option>--use-ldaps</option>. The Samba
+			base membership currently offers only deprecated ways
+			to enable ldaps. Support will be added in
+			<command>realmd</command> when a new way is available.
+			</para></listitem>
+		</varlistentry>
 	</variablelist>
 
 </refsect1>
@@ -326,6 +355,11 @@ $ realm leave domain.example.com
 			with when leaving the realm. You will be prompted for a
 			password. Implies <option>--remove</option>.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--use-ldaps</option></term>
+			<listitem><para>See option description in
+			<xref linkend="man-join"/>.</para></listitem>
+		</varlistentry>
 	</variablelist>
 
 </refsect1>
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
index 97d2e8d..72b706c 100644
--- a/doc/manual/realmd.conf.xml
+++ b/doc/manual/realmd.conf.xml
@@ -141,6 +141,27 @@ domain.example.com
 	</listitem>
 	</varlistentry>
 
+	<varlistentry>
+	<term><option>use-ldaps</option></term>
+	<listitem><para>Use the ldaps port when connecting to AD where possible.
+	In general this option is not needed because <command>realmd</command>
+	itself only read public information from the Active Directory domain
+	controller which is available anonymously. The supported membership
+	software products will use encrypted connections protected with
+	GSS-SPNEGO/GSSAPI which offers a comparable level of security than
+	ldaps. This option is only needed if the standard LDAP port (389/tcp)
+	is blocked by a firewall and only the LDAPS port (636/tcp) is
+	available.</para>
+
+	<para>If this option is set to <parameter>yes</parameter>
+	<command>realmd</command> will use the ldaps port when reading the
+	rootDSE and call the <command>adcli</command> membership software with
+	the option <option>--use-ldaps</option>. The Samba base membership
+	currently offers only deprecated ways to enable ldaps. Support will be
+	added in <command>realmd</command> when a new way is available.</para>
+	</listitem>
+	</varlistentry>
+
 	<varlistentry>
 	<term><option>os-name</option></term>
 	<listitem><para>(see below)</para></listitem>
diff --git a/tools/realm-client.c b/tools/realm-client.c
index 2f102db..c386e64 100644
--- a/tools/realm-client.c
+++ b/tools/realm-client.c
@@ -353,6 +353,7 @@ realm_client_get_provider (RealmClient *self)
 GList *
 realm_client_discover (RealmClient *self,
                        const gchar *string,
+                       gboolean use_ldaps,
                        const gchar *client_software,
                        const gchar *server_software,
                        const gchar *membership_software,
@@ -381,6 +382,7 @@ realm_client_discover (RealmClient *self,
 	options = realm_build_options (REALM_DBUS_OPTION_CLIENT_SOFTWARE, client_software,
 	                               REALM_DBUS_OPTION_SERVER_SOFTWARE, server_software,
 	                               REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, membership_software,
+	                               REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
 	                               NULL);
 
 	/* Start actual operation */
diff --git a/tools/realm-client.h b/tools/realm-client.h
index 5ecf2de..e9e50cd 100644
--- a/tools/realm-client.h
+++ b/tools/realm-client.h
@@ -40,6 +40,7 @@ RealmDbusProvider *            realm_client_get_provider             (RealmClien
 
 GList *                        realm_client_discover                 (RealmClient *self,
                                                                       const gchar *string,
+                                                                      gboolean use_ldaps,
                                                                       const gchar *client_software,
                                                                       const gchar *server_software,
                                                                       const gchar *membership_software,
diff --git a/tools/realm-discover.c b/tools/realm-discover.c
index 8dde4ed..c0acd79 100644
--- a/tools/realm-discover.c
+++ b/tools/realm-discover.c
@@ -116,6 +116,7 @@ perform_discover (RealmClient *client,
                   const gchar *string,
                   gboolean all,
                   gboolean name_only,
+                  gboolean use_ldaps,
                   const gchar *server_software,
                   const gchar *client_software,
                   const gchar *membership_software)
@@ -127,7 +128,7 @@ perform_discover (RealmClient *client,
 	GList *realms;
 	GList *l;
 
-	realms = realm_client_discover (client, string, client_software,
+	realms = realm_client_discover (client, string, use_ldaps, client_software,
 	                                server_software, membership_software,
 	                                REALM_DBUS_REALM_INTERFACE, NULL, &error);
 
@@ -173,6 +174,7 @@ realm_discover (RealmClient *client,
 	GError *error = NULL;
 	gboolean arg_all = FALSE;
 	gboolean arg_name_only = FALSE;
+	gboolean arg_use_ldaps = FALSE;
 	gint result = 0;
 	gint ret;
 	gint i;
@@ -183,6 +185,7 @@ realm_discover (RealmClient *client,
 		{ "client-software", 0, 0, G_OPTION_ARG_STRING, &arg_client_software, N_("Use specific client software"), NULL },
 		{ "membership-software", 0, 0, G_OPTION_ARG_STRING, &arg_membership_software, N_("Use specific membership software"), NULL },
 		{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, N_("Use specific server software"), NULL },
+		{ "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
 		{ NULL, }
 	};
 
@@ -200,6 +203,7 @@ realm_discover (RealmClient *client,
 	} else if (argc == 1) {
 		result = perform_discover (client, NULL, arg_all,
 		                           arg_name_only,
+		                           arg_use_ldaps,
 		                           arg_server_software,
 		                           arg_client_software,
 		                           arg_membership_software);
@@ -209,6 +213,7 @@ realm_discover (RealmClient *client,
 		for (i = 1; i < argc; i++) {
 			ret = perform_discover (client, argv[i], arg_all,
 			                        arg_name_only,
+			                        arg_use_ldaps,
 			                        arg_server_software,
 			                        arg_client_software,
 			                        arg_membership_software);
diff --git a/tools/realm-join.c b/tools/realm-join.c
index 249f502..dbe6197 100644
--- a/tools/realm-join.c
+++ b/tools/realm-join.c
@@ -179,6 +179,7 @@ typedef struct {
 	gchar *user_principal;
 	gboolean automatic_id_mapping_set;
 	gboolean automatic_id_mapping;
+	gboolean use_ldaps;
 } RealmJoinArgs;
 
 static void
@@ -218,7 +219,7 @@ perform_join (RealmClient *client,
 	GList *realms;
 	gint ret;
 
-	realms = realm_client_discover (client, string, args->client_software,
+	realms = realm_client_discover (client, string, args->use_ldaps, args->client_software,
 	                                args->server_software, args->membership_software,
 	                                REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE,
 	                                &had_mismatched, &error);
@@ -247,6 +248,7 @@ perform_join (RealmClient *client,
 	                               REALM_DBUS_OPTION_OS_VERSION, args->os_version,
 	                               REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software,
 	                               REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal,
+	                               REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False",
 	                               args->automatic_id_mapping_set ?
 	                                   REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING : NULL,
 	                                   args->automatic_id_mapping,
@@ -310,6 +312,8 @@ realm_join (RealmClient *client,
 		  N_("User name to use for enrollment"), NULL },
 		{ "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal,
 		  N_("Set the user principal for the computer account"), NULL },
+		{ "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps,
+		  N_("Use ldaps to connect to LDAP"), NULL },
 		{ NULL, }
 	};
 
diff --git a/tools/realm-leave.c b/tools/realm-leave.c
index 45a9c46..c88a110 100644
--- a/tools/realm-leave.c
+++ b/tools/realm-leave.c
@@ -185,6 +185,7 @@ perform_deconfigure (RealmClient *client,
 
 static int
 perform_user_leave (RealmClient *client,
+                    gboolean use_ldaps,
                     RealmDbusKerberosMembership *membership,
                     const gchar *user_name)
 {
@@ -201,7 +202,8 @@ perform_user_leave (RealmClient *client,
 		return 1;
 	}
 
-	options = realm_build_options(NULL, NULL);
+	options = realm_build_options (REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False",
+	                               NULL);
 	ret = call_leave (membership, credentials, options, &error);
 
 	if (error != NULL)
@@ -213,6 +215,7 @@ perform_user_leave (RealmClient *client,
 static int
 perform_leave (RealmClient *client,
                const gchar *realm_name,
+               gboolean use_ldaps,
                gboolean remove,
                const gchar *user_name,
                const gchar *client_software,
@@ -239,7 +242,8 @@ perform_leave (RealmClient *client,
 	if (!remove)
 		ret = perform_deconfigure (client, realm);
 	else
-		ret = perform_user_leave (client, membership, user_name);
+		ret = perform_user_leave (client, use_ldaps, membership,
+		                          user_name);
 
 	g_object_unref (membership);
 	g_object_unref (realm);
@@ -259,6 +263,7 @@ realm_leave (RealmClient *client,
 	gchar *arg_server_software = NULL;
 	GError *error = NULL;
 	const gchar *realm_name;
+	gboolean arg_use_ldaps = FALSE;
 	gint ret = 0;
 
 	GOptionEntry option_entries[] = {
@@ -268,6 +273,7 @@ realm_leave (RealmClient *client,
 		{ "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software,
 		  N_("Use specific server software"), NULL },
 		{ "user", 'U', 0, G_OPTION_ARG_STRING, &arg_user, N_("User name to use for removal"), NULL },
+		{ "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL },
 		{ NULL, }
 	};
 
@@ -283,8 +289,9 @@ realm_leave (RealmClient *client,
 
 	} else {
 		realm_name = argc < 2 ? NULL : argv[1];
-		ret = perform_leave (client, realm_name, arg_remove, arg_user,
-		                     arg_client_software, arg_server_software);
+		ret = perform_leave (client, realm_name, arg_use_ldaps,
+		                     arg_remove, arg_user, arg_client_software,
+		                     arg_server_software);
 	}
 
 	g_free (arg_user);
-- 
2.26.2