From ae247ae2ad87858741d64341633cd4e74f72e873 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 30 Oct 2020 13:28:52 +0100 Subject: [PATCH 3/6] service: add ldaps support when using adcli Call adcli with the --use-ldaps option if the realmd service is requested to do so. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 --- service/realm-adcli-enroll.c | 10 ++++++++++ service/realm-adcli-enroll.h | 2 ++ service/realm-samba.c | 11 +++++++++-- service/realm-sssd-ad.c | 27 ++++++++++++++++++++++++++- 4 files changed, 47 insertions(+), 3 deletions(-) diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c index 05947fa..2731283 100644 --- a/service/realm-adcli-enroll.c +++ b/service/realm-adcli-enroll.c @@ -68,6 +68,7 @@ void realm_adcli_enroll_join_async (RealmDisco *disco, RealmCredential *cred, GVariant *options, + gboolean use_ldaps, GDBusMethodInvocation *invocation, GAsyncReadyCallback callback, gpointer user_data) @@ -102,6 +103,10 @@ realm_adcli_enroll_join_async (RealmDisco *disco, g_ptr_array_add (args, "--domain-realm"); g_ptr_array_add (args, (gpointer)disco->kerberos_realm); + if (use_ldaps) { + g_ptr_array_add (args, "--use-ldaps"); + } + if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) { address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address)); server_arg = g_inet_address_to_string (address); @@ -218,6 +223,7 @@ void realm_adcli_enroll_delete_async (RealmDisco *disco, RealmCredential *cred, GVariant *options, + gboolean use_ldaps, GDBusMethodInvocation *invocation, GAsyncReadyCallback callback, gpointer user_data) @@ -246,6 +252,10 @@ realm_adcli_enroll_delete_async (RealmDisco *disco, g_ptr_array_add (args, "--domain-realm"); g_ptr_array_add (args, (gpointer)disco->kerberos_realm); + if (use_ldaps) { + g_ptr_array_add (args, "--use-ldaps"); + } + if (G_IS_INET_SOCKET_ADDRESS (disco->server_address)) { address = g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (disco->server_address)); server_arg = g_inet_address_to_string (address); diff --git a/service/realm-adcli-enroll.h b/service/realm-adcli-enroll.h index 855b2f7..3f535d0 100644 --- a/service/realm-adcli-enroll.h +++ b/service/realm-adcli-enroll.h @@ -29,6 +29,7 @@ G_BEGIN_DECLS void realm_adcli_enroll_join_async (RealmDisco *disco, RealmCredential *cred, GVariant *options, + gboolean use_ldaps, GDBusMethodInvocation *invocation, GAsyncReadyCallback callback, gpointer user_data); @@ -39,6 +40,7 @@ gboolean realm_adcli_enroll_join_finish (GAsyncResult *result, void realm_adcli_enroll_delete_async (RealmDisco *disco, RealmCredential *cred, GVariant *options, + gboolean use_ldaps, GDBusMethodInvocation *invocation, GAsyncReadyCallback callback, gpointer user_data); diff --git a/service/realm-samba.c b/service/realm-samba.c index e7b80a0..7aa5416 100644 --- a/service/realm-samba.c +++ b/service/realm-samba.c @@ -257,7 +257,8 @@ on_install_do_join (GObject *source, } static gboolean -validate_membership_options (GVariant *options, +validate_membership_options (EnrollClosure *enroll, + GVariant *options, GError **error) { const gchar *software; @@ -271,6 +272,12 @@ validate_membership_options (GVariant *options, } } + if (realm_option_use_ldaps (options)) { + realm_diagnostics_info (enroll->invocation, + "Membership software %s does " + "not support ldaps, trying without.", + software); + } return TRUE; } @@ -303,7 +310,7 @@ realm_samba_join_async (RealmKerberosMembership *membership, g_task_return_new_error (task, REALM_ERROR, REALM_ERROR_ALREADY_CONFIGURED, _("Already joined to a domain")); - } else if (!validate_membership_options (options, &error)) { + } else if (!validate_membership_options (enroll, options, &error)) { g_task_return_error (task, error); } else { diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c index 6b2f9f8..00a9093 100644 --- a/service/realm-sssd-ad.c +++ b/service/realm-sssd-ad.c @@ -98,6 +98,7 @@ typedef struct { GVariant *options; RealmDisco *disco; gboolean use_adcli; + gboolean use_ldaps; const gchar **packages; } JoinClosure; @@ -294,6 +295,7 @@ on_install_do_join (GObject *source, realm_adcli_enroll_join_async (join->disco, join->cred, join->options, + join->use_ldaps, join->invocation, on_join_do_sssd, g_object_ref (task)); @@ -347,6 +349,19 @@ parse_join_options (JoinClosure *join, return FALSE; } + /* + * Check if ldaps should be used and if membership software supports + * it. + */ + join->use_ldaps = realm_option_use_ldaps (options); + if (join->use_ldaps && + g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) { + realm_diagnostics_info (join->invocation, + "Membership software %s does " + "not support ldaps, trying " + "without.", software); + } + /* * If we are enrolling with a user password, then we have to use samba, * adcli only supports admin passwords. @@ -523,6 +538,7 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership, GTask *task; LeaveClosure *leave; gchar *tags; + gboolean use_ldaps = FALSE; task = g_task_new (self, NULL, callback, user_data); @@ -551,10 +567,19 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership, leave->invocation = g_object_ref (invocation); leave->use_adcli = strstr (tags ? tags : "", "joined-with-adcli") ? TRUE : FALSE; g_task_set_task_data (task, leave, leave_closure_free); + + use_ldaps = realm_option_use_ldaps (options); if (leave->use_adcli) { - realm_adcli_enroll_delete_async (disco, cred, options, invocation, + realm_adcli_enroll_delete_async (disco, cred, options, + use_ldaps, invocation, on_leave_do_deconfigure, g_object_ref (task)); } else { + if (use_ldaps) { + realm_diagnostics_info (leave->invocation, + "Membership software does " + "not support ldaps, trying " + "without."); + } realm_samba_enroll_leave_async (disco, cred, options, invocation, on_leave_do_deconfigure, g_object_ref (task)); } -- 2.26.2