From 20adfff6c0db657d302bd96f986f2e79a8b2d791 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 30 Oct 2020 13:20:46 +0100 Subject: [PATCH 2/6] service: allow to use ldaps for rootDSE lookup Let the realmd service use ldaps for the rootDSE lookup when requested. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 --- service/realm-disco-dns.c | 10 +++++++--- service/realm-disco-dns.h | 1 + service/realm-disco-domain.c | 8 +++++++- service/realm-disco-domain.h | 1 + service/realm-disco-mscldap.c | 2 +- service/realm-disco-rootdse.c | 3 ++- service/realm-disco-rootdse.h | 1 + service/realm-ldap.c | 5 ++++- service/realm-ldap.h | 1 + service/realm-samba-provider.c | 5 ++++- service/realm-sssd-provider.c | 5 ++++- 11 files changed, 33 insertions(+), 9 deletions(-) diff --git a/service/realm-disco-dns.c b/service/realm-disco-dns.c index 446010c..77d5034 100644 --- a/service/realm-disco-dns.c +++ b/service/realm-disco-dns.c @@ -32,6 +32,7 @@ typedef struct { GQueue addresses; GQueue targets; gint current_port; + gboolean use_ldaps; gint returned; DiscoPhase phase; GResolver *resolver; @@ -180,7 +181,7 @@ return_or_resolve (RealmDiscoDns *self, target = g_queue_pop_head (&self->targets); if (target) { - self->current_port = g_srv_target_get_port (target); + self->current_port = self->use_ldaps ? 636 : g_srv_target_get_port (target); g_resolver_lookup_by_name_async (self->resolver, g_srv_target_get_hostname (target), g_task_get_cancellable (task), on_name_resolved, g_object_ref (task)); @@ -201,7 +202,7 @@ return_or_resolve (RealmDiscoDns *self, g_resolver_lookup_by_name_async (self->resolver, self->name, g_task_get_cancellable (task), on_name_resolved, g_object_ref (task)); - self->current_port = 389; + self->current_port = self->use_ldaps ? 636 : 389; self->phase = PHASE_HOST; break; case PHASE_HOST: @@ -251,6 +252,7 @@ realm_disco_dns_class_init (RealmDiscoDnsClass *klass) GSocketAddressEnumerator * realm_disco_dns_enumerate_servers (const gchar *domain_or_server, + gboolean use_ldaps, GDBusMethodInvocation *invocation) { RealmDiscoDns *self; @@ -262,12 +264,14 @@ realm_disco_dns_enumerate_servers (const gchar *domain_or_server, self = g_object_new (REALM_TYPE_DISCO_DNS, NULL); self->name = g_hostname_to_ascii (input); + self->use_ldaps = use_ldaps; self->invocation = g_object_ref (invocation); /* If is an IP, skip resolution */ if (g_hostname_is_ip_address (input)) { inet = g_inet_address_new_from_string (input); - g_queue_push_head (&self->addresses, g_inet_socket_address_new (inet, 389)); + g_queue_push_head (&self->addresses, + g_inet_socket_address_new (inet, use_ldaps ? 636 : 389)); g_object_unref (inet); self->phase = PHASE_HOST; } else { diff --git a/service/realm-disco-dns.h b/service/realm-disco-dns.h index a51777f..5b20fe9 100644 --- a/service/realm-disco-dns.h +++ b/service/realm-disco-dns.h @@ -26,6 +26,7 @@ typedef enum { G_BEGIN_DECLS GSocketAddressEnumerator * realm_disco_dns_enumerate_servers (const gchar *domain_or_server, + gboolean use_ldaps, GDBusMethodInvocation *invocation); RealmDiscoDnsHint realm_disco_dns_get_hint (GSocketAddressEnumerator *enumerator); diff --git a/service/realm-disco-domain.c b/service/realm-disco-domain.c index 3f0ccb5..fdda8f6 100644 --- a/service/realm-disco-domain.c +++ b/service/realm-disco-domain.c @@ -37,6 +37,7 @@ typedef struct _Callback { typedef struct { GObject parent; gchar *input; + gboolean use_ldaps; GCancellable *cancellable; GDBusMethodInvocation *invocation; GSocketAddressEnumerator *enumerator; @@ -206,6 +207,7 @@ on_discover_next_address (GObject *source, realm_diagnostics_info (self->invocation, "Performing LDAP DSE lookup on: %s", string); realm_disco_rootdse_async (address, explicit_host, + self->use_ldaps, self->invocation, self->cancellable, on_discover_rootdse, g_object_ref (self)); self->outstanding++; @@ -248,6 +250,7 @@ on_cancel_propagate (GCancellable *source, void realm_disco_domain_async (const gchar *string, + gboolean use_ldaps, GDBusMethodInvocation *invocation, GAsyncReadyCallback callback, gpointer user_data) @@ -267,8 +270,11 @@ realm_disco_domain_async (const gchar *string, if (self == NULL) { self = g_object_new (REALM_TYPE_DISCO_DOMAIN, NULL); self->input = g_strdup (string); + self->use_ldaps = use_ldaps; self->invocation = g_object_ref (invocation); - self->enumerator = realm_disco_dns_enumerate_servers (string, invocation); + self->enumerator = realm_disco_dns_enumerate_servers (string, + use_ldaps, + invocation); g_hash_table_insert (discover_cache, self->input, self); g_assert (!self->completed); diff --git a/service/realm-disco-domain.h b/service/realm-disco-domain.h index 27dcc6c..02d4998 100644 --- a/service/realm-disco-domain.h +++ b/service/realm-disco-domain.h @@ -24,6 +24,7 @@ G_BEGIN_DECLS void realm_disco_domain_async (const gchar *string, + gboolean use_ldaps, GDBusMethodInvocation *invocation, GAsyncReadyCallback callback, gpointer user_data); diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c index d3d3c10..2504904 100644 --- a/service/realm-disco-mscldap.c +++ b/service/realm-disco-mscldap.c @@ -348,7 +348,7 @@ realm_disco_mscldap_async (GSocketAddress *address, return; } - clo->source = realm_ldap_connect_anonymous (address, protocol, cancellable); + clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable); g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io, g_object_ref (task), g_object_unref); g_source_attach (clo->source, g_task_get_context (task)); diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c index 7614071..4ed19e5 100644 --- a/service/realm-disco-rootdse.c +++ b/service/realm-disco-rootdse.c @@ -452,6 +452,7 @@ on_ldap_io (LDAP *ldap, void realm_disco_rootdse_async (GSocketAddress *address, const gchar *explicit_server, + gboolean use_ldaps, GDBusMethodInvocation *invocation, GCancellable *cancellable, GAsyncReadyCallback callback, @@ -473,7 +474,7 @@ realm_disco_rootdse_async (GSocketAddress *address, g_task_set_task_data (task, clo, closure_free); clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP, - cancellable); + use_ldaps, cancellable); g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io, g_object_ref (task), g_object_unref); g_source_attach (clo->source, g_task_get_context (task)); diff --git a/service/realm-disco-rootdse.h b/service/realm-disco-rootdse.h index e024c84..7b21960 100644 --- a/service/realm-disco-rootdse.h +++ b/service/realm-disco-rootdse.h @@ -21,6 +21,7 @@ void realm_disco_rootdse_async (GSocketAddress *address, const gchar *explicit_server, + gboolean use_ldaps, GDBusMethodInvocation *invocation, GCancellable *cancellable, GAsyncReadyCallback callback, diff --git a/service/realm-ldap.c b/service/realm-ldap.c index 7831b5b..28c5c8a 100644 --- a/service/realm-ldap.c +++ b/service/realm-ldap.c @@ -183,6 +183,7 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap GSource * realm_ldap_connect_anonymous (GSocketAddress *address, GSocketProtocol protocol, + gboolean use_ldaps, GCancellable *cancellable) { GSource *source; @@ -238,7 +239,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address, if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL)) g_warning ("couldn't set to blocking"); - url = g_strdup_printf ("ldap://%s:%d", addrname, port); + url = g_strdup_printf ("%s://%s:%d", + use_ldaps ? "ldaps" : "ldap", + addrname, port); rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap); g_free (url); diff --git a/service/realm-ldap.h b/service/realm-ldap.h index 263f72a..0f9f40e 100644 --- a/service/realm-ldap.h +++ b/service/realm-ldap.h @@ -37,6 +37,7 @@ typedef GIOCondition (* RealmLdapCallback) (LDAP *ldap, GSource * realm_ldap_connect_anonymous (GSocketAddress *address, GSocketProtocol protocol, + gboolean use_ldaps, GCancellable *cancellable); void realm_ldap_set_condition (GSource *source, diff --git a/service/realm-samba-provider.c b/service/realm-samba-provider.c index 9b489ce..de9f5e6 100644 --- a/service/realm-samba-provider.c +++ b/service/realm-samba-provider.c @@ -27,6 +27,7 @@ #include "realm-samba-enroll.h" #include "realm-samba-provider.h" #include "realm-samba-winbind.h" +#include "realm-options.h" #include @@ -121,7 +122,9 @@ realm_samba_provider_discover_async (RealmProvider *provider, g_task_return_pointer (task, NULL, NULL); } else { - realm_disco_domain_async (string, invocation, + realm_disco_domain_async (string, + realm_option_use_ldaps (options), + invocation, on_ad_discover, g_object_ref (task)); } diff --git a/service/realm-sssd-provider.c b/service/realm-sssd-provider.c index 7ac0645..db183c0 100644 --- a/service/realm-sssd-provider.c +++ b/service/realm-sssd-provider.c @@ -26,6 +26,7 @@ #include "realm-sssd-ipa.h" #include "realm-sssd-provider.h" #include "realm-sssd-config.h" +#include "realm-options.h" #include @@ -140,7 +141,9 @@ realm_sssd_provider_discover_async (RealmProvider *provider, g_task_return_pointer (task, NULL, NULL); } else { - realm_disco_domain_async (string, invocation, on_kerberos_discover, + realm_disco_domain_async (string, + realm_option_use_ldaps (options), + invocation, on_kerberos_discover, g_object_ref (task)); } -- 2.26.2