From b53c3e5fb5c90813ce1b47ddc570dd9c800232f9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 3 Jul 2020 17:18:27 +0200
Subject: [PATCH] Use startTLS with FreeIPA

FreeIPA is planning to required a minimal security strength factor (ssf)
in an upcoming version. This basically means that communication should
be encrypted. The most straight forward way is use TLS by doing a
StartLS operation after the rootDSE lookup. Since FreeIPA supports TLS
since the initial release we will call StartTLS unconditionally but try
without if it fails.

Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
---
 service/realm-disco-rootdse.c | 23 +++++++++++++++++++++++
 service/realm-ldap.c          |  4 +++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
index 3100650..7614071 100644
--- a/service/realm-disco-rootdse.c
+++ b/service/realm-disco-rootdse.c
@@ -226,10 +226,33 @@ request_domain_info (GTask *task,
                      LDAP *ldap)
 {
 	const char *attrs[] = { "info", "associatedDomain", NULL };
+	int ret;
+	int ldap_opt_val;
 
 	clo->request = NULL;
 	clo->result = result_domain_info;
 
+	/* Trying to setup a TLS tunnel in the case the IPA server requires an
+	 * encrypted connected. Trying without in case of an error. Since we
+	 * most probably do not have the IPA CA certificate we will not check
+	 * the server certificate. */
+	ldap_opt_val = LDAP_OPT_X_TLS_NEVER;
+	ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_opt_val);
+	if (ret != LDAP_OPT_SUCCESS) {
+		g_debug ("Failed to disable certificate checking, trying without");
+	}
+
+	ldap_opt_val = 0;
+	ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_NEWCTX, &ldap_opt_val);
+	if (ret != LDAP_OPT_SUCCESS) {
+		g_debug ("Failed to refresh LDAP context for TLS, trying without");
+	}
+
+	ret = ldap_start_tls_s (ldap, NULL, NULL);
+	if (ret != LDAP_SUCCESS) {
+		g_debug ("Failed to setup TLS tunnel, trying without");
+	}
+
 	return search_ldap (task, clo, ldap, clo->default_naming_context,
 	                    LDAP_SCOPE_BASE, NULL, attrs);
 }
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index 59817fb..7831b5b 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -238,7 +238,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
 		if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
 			g_warning ("couldn't set to blocking");
 
-		rc = ldap_init_fd (ls->sock, 1, NULL, &ls->ldap);
+		url = g_strdup_printf ("ldap://%s:%d", addrname, port);
+		rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
+		g_free (url);
 
 		g_free (native);
 
-- 
2.26.2