From b53c3e5fb5c90813ce1b47ddc570dd9c800232f9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 3 Jul 2020 17:18:27 +0200 Subject: [PATCH] Use startTLS with FreeIPA FreeIPA is planning to required a minimal security strength factor (ssf) in an upcoming version. This basically means that communication should be encrypted. The most straight forward way is use TLS by doing a StartLS operation after the rootDSE lookup. Since FreeIPA supports TLS since the initial release we will call StartTLS unconditionally but try without if it fails. Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23 --- service/realm-disco-rootdse.c | 23 +++++++++++++++++++++++ service/realm-ldap.c | 4 +++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c index 3100650..7614071 100644 --- a/service/realm-disco-rootdse.c +++ b/service/realm-disco-rootdse.c @@ -226,10 +226,33 @@ request_domain_info (GTask *task, LDAP *ldap) { const char *attrs[] = { "info", "associatedDomain", NULL }; + int ret; + int ldap_opt_val; clo->request = NULL; clo->result = result_domain_info; + /* Trying to setup a TLS tunnel in the case the IPA server requires an + * encrypted connected. Trying without in case of an error. Since we + * most probably do not have the IPA CA certificate we will not check + * the server certificate. */ + ldap_opt_val = LDAP_OPT_X_TLS_NEVER; + ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_opt_val); + if (ret != LDAP_OPT_SUCCESS) { + g_debug ("Failed to disable certificate checking, trying without"); + } + + ldap_opt_val = 0; + ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_NEWCTX, &ldap_opt_val); + if (ret != LDAP_OPT_SUCCESS) { + g_debug ("Failed to refresh LDAP context for TLS, trying without"); + } + + ret = ldap_start_tls_s (ldap, NULL, NULL); + if (ret != LDAP_SUCCESS) { + g_debug ("Failed to setup TLS tunnel, trying without"); + } + return search_ldap (task, clo, ldap, clo->default_naming_context, LDAP_SCOPE_BASE, NULL, attrs); } diff --git a/service/realm-ldap.c b/service/realm-ldap.c index 59817fb..7831b5b 100644 --- a/service/realm-ldap.c +++ b/service/realm-ldap.c @@ -238,7 +238,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address, if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL)) g_warning ("couldn't set to blocking"); - rc = ldap_init_fd (ls->sock, 1, NULL, &ls->ldap); + url = g_strdup_printf ("ldap://%s:%d", addrname, port); + rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap); + g_free (url); g_free (native); -- 2.26.2