From 3e4c42094c9660c710f544e31c49ff38180c7675 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 2 Dec 2020 10:10:37 +0100 Subject: [PATCH 3/3] service: make TLS check more releaxed Since realmd is most often the first application called to discover a domain we do not require a strict certificate check when using the ldaps port to connect to a domain controller. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 --- doc/manual/realm.xml | 8 +++++++- service/realm-ldap.c | 32 +++++++++++++++++++++++++++++++- 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml index 01af62e..d7d8e5e 100644 --- a/doc/manual/realm.xml +++ b/doc/manual/realm.xml @@ -293,7 +293,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com which offers a comparable level of security than ldaps. This option is only needed if the standard LDAP port (389/tcp) is blocked by a firewall and only the LDAPS - port (636/tcp) is available. + port (636/tcp) is available. Given that and to lower + the initial effort to discover a remote domain + realmd does not require a strict + certificate check. If the validation of the LDAP server + certificate fails realmd will + continue to setup the encrypted connection to the LDAP + server. If this option is set to yes realmd diff --git a/service/realm-ldap.c b/service/realm-ldap.c index e07a299..bdfb96c 100644 --- a/service/realm-ldap.c +++ b/service/realm-ldap.c @@ -199,6 +199,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address, gint port; gchar *url; int rc; + int opt_rc; + int ldap_opt_val; + const char *errmsg = NULL; g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL); @@ -264,9 +267,36 @@ realm_ldap_connect_anonymous (GSocketAddress *address, } if (use_ldaps) { + /* Since we currently use the IP address in the URI + * the certificate check might fail because in most + * cases the IP address won't be listed in the SANs of + * the LDAP server certificate. We will try to + * continue in this case and not fail. */ + ldap_opt_val = LDAP_OPT_X_TLS_ALLOW; + rc = ldap_set_option (ls->ldap, + LDAP_OPT_X_TLS_REQUIRE_CERT, + &ldap_opt_val); + if (rc != LDAP_OPT_SUCCESS) { + g_debug ("Failed to disable certificate checking, trying without"); + } + + ldap_opt_val = 0; + rc = ldap_set_option (ls->ldap, LDAP_OPT_X_TLS_NEWCTX, + &ldap_opt_val); + if (rc != LDAP_OPT_SUCCESS) { + g_debug ("Failed to refresh LDAP context for TLS, trying without"); + } + rc = ldap_install_tls (ls->ldap); if (rc != LDAP_SUCCESS) { - g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc)); + opt_rc = ldap_get_option (ls->ldap, + LDAP_OPT_DIAGNOSTIC_MESSAGE, + (void *) &errmsg); + if (opt_rc != LDAP_SUCCESS) { + errmsg = "- no details -"; + } + g_warning ("ldap_start_tls_s() failed [%s]: %s", + ldap_err2string (rc), errmsg); return NULL; } } -- 2.28.0