From 13f302652f6069490dfde41dd33e5aaa17efa5e7 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 30 Oct 2020 17:22:13 +0100 Subject: [PATCH 5/6] tools: add --use-ldaps option for discover, join and leave Add --use-ldaps option to the realm command to be able to ask the realmd service to use ldaps where possible. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964 --- doc/manual/realm.xml | 34 ++++++++++++++++++++++++++++++++++ doc/manual/realmd.conf.xml | 21 +++++++++++++++++++++ tools/realm-client.c | 2 ++ tools/realm-client.h | 1 + tools/realm-discover.c | 7 ++++++- tools/realm-join.c | 6 +++++- tools/realm-leave.c | 15 +++++++++++---- 7 files changed, 80 insertions(+), 6 deletions(-) diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml index e5d4608..01af62e 100644 --- a/doc/manual/realm.xml +++ b/doc/manual/realm.xml @@ -134,6 +134,11 @@ $ realm discover domain.example.com Possible values include samba or adcli. + + + See option description in + . + @@ -276,6 +281,30 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com principal besides the AD default user principal can be set. + + + Use the ldaps port when connecting to AD + where possible. In general this option is not needed + because realmd itself only read + public information from the Active Directory domain + controller which is available anonymously. The + supported membership software products will use + encrypted connections protected with GSS-SPNEGO/GSSAPI + which offers a comparable level of security than ldaps. + This option is only needed if the standard LDAP port + (389/tcp) is blocked by a firewall and only the LDAPS + port (636/tcp) is available. + + If this option is set to + yes realmd + will use the ldaps port when reading the rootDSE and + call the adcli membership software + with the option . The Samba + base membership currently offers only deprecated ways + to enable ldaps. Support will be added in + realmd when a new way is available. + + @@ -326,6 +355,11 @@ $ realm leave domain.example.com with when leaving the realm. You will be prompted for a password. Implies . + + + See option description in + . + diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml index 97d2e8d..72b706c 100644 --- a/doc/manual/realmd.conf.xml +++ b/doc/manual/realmd.conf.xml @@ -141,6 +141,27 @@ domain.example.com + + + Use the ldaps port when connecting to AD where possible. + In general this option is not needed because realmd + itself only read public information from the Active Directory domain + controller which is available anonymously. The supported membership + software products will use encrypted connections protected with + GSS-SPNEGO/GSSAPI which offers a comparable level of security than + ldaps. This option is only needed if the standard LDAP port (389/tcp) + is blocked by a firewall and only the LDAPS port (636/tcp) is + available. + + If this option is set to yes + realmd will use the ldaps port when reading the + rootDSE and call the adcli membership software with + the option . The Samba base membership + currently offers only deprecated ways to enable ldaps. Support will be + added in realmd when a new way is available. + + + (see below) diff --git a/tools/realm-client.c b/tools/realm-client.c index 2f102db..c386e64 100644 --- a/tools/realm-client.c +++ b/tools/realm-client.c @@ -353,6 +353,7 @@ realm_client_get_provider (RealmClient *self) GList * realm_client_discover (RealmClient *self, const gchar *string, + gboolean use_ldaps, const gchar *client_software, const gchar *server_software, const gchar *membership_software, @@ -381,6 +382,7 @@ realm_client_discover (RealmClient *self, options = realm_build_options (REALM_DBUS_OPTION_CLIENT_SOFTWARE, client_software, REALM_DBUS_OPTION_SERVER_SOFTWARE, server_software, REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, membership_software, + REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False", NULL); /* Start actual operation */ diff --git a/tools/realm-client.h b/tools/realm-client.h index 5ecf2de..e9e50cd 100644 --- a/tools/realm-client.h +++ b/tools/realm-client.h @@ -40,6 +40,7 @@ RealmDbusProvider * realm_client_get_provider (RealmClien GList * realm_client_discover (RealmClient *self, const gchar *string, + gboolean use_ldaps, const gchar *client_software, const gchar *server_software, const gchar *membership_software, diff --git a/tools/realm-discover.c b/tools/realm-discover.c index 8dde4ed..c0acd79 100644 --- a/tools/realm-discover.c +++ b/tools/realm-discover.c @@ -116,6 +116,7 @@ perform_discover (RealmClient *client, const gchar *string, gboolean all, gboolean name_only, + gboolean use_ldaps, const gchar *server_software, const gchar *client_software, const gchar *membership_software) @@ -127,7 +128,7 @@ perform_discover (RealmClient *client, GList *realms; GList *l; - realms = realm_client_discover (client, string, client_software, + realms = realm_client_discover (client, string, use_ldaps, client_software, server_software, membership_software, REALM_DBUS_REALM_INTERFACE, NULL, &error); @@ -173,6 +174,7 @@ realm_discover (RealmClient *client, GError *error = NULL; gboolean arg_all = FALSE; gboolean arg_name_only = FALSE; + gboolean arg_use_ldaps = FALSE; gint result = 0; gint ret; gint i; @@ -183,6 +185,7 @@ realm_discover (RealmClient *client, { "client-software", 0, 0, G_OPTION_ARG_STRING, &arg_client_software, N_("Use specific client software"), NULL }, { "membership-software", 0, 0, G_OPTION_ARG_STRING, &arg_membership_software, N_("Use specific membership software"), NULL }, { "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, N_("Use specific server software"), NULL }, + { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL }, { NULL, } }; @@ -200,6 +203,7 @@ realm_discover (RealmClient *client, } else if (argc == 1) { result = perform_discover (client, NULL, arg_all, arg_name_only, + arg_use_ldaps, arg_server_software, arg_client_software, arg_membership_software); @@ -209,6 +213,7 @@ realm_discover (RealmClient *client, for (i = 1; i < argc; i++) { ret = perform_discover (client, argv[i], arg_all, arg_name_only, + arg_use_ldaps, arg_server_software, arg_client_software, arg_membership_software); diff --git a/tools/realm-join.c b/tools/realm-join.c index 249f502..dbe6197 100644 --- a/tools/realm-join.c +++ b/tools/realm-join.c @@ -179,6 +179,7 @@ typedef struct { gchar *user_principal; gboolean automatic_id_mapping_set; gboolean automatic_id_mapping; + gboolean use_ldaps; } RealmJoinArgs; static void @@ -218,7 +219,7 @@ perform_join (RealmClient *client, GList *realms; gint ret; - realms = realm_client_discover (client, string, args->client_software, + realms = realm_client_discover (client, string, args->use_ldaps, args->client_software, args->server_software, args->membership_software, REALM_DBUS_KERBEROS_MEMBERSHIP_INTERFACE, &had_mismatched, &error); @@ -247,6 +248,7 @@ perform_join (RealmClient *client, REALM_DBUS_OPTION_OS_VERSION, args->os_version, REALM_DBUS_OPTION_MEMBERSHIP_SOFTWARE, args->membership_software, REALM_DBUS_OPTION_USER_PRINCIPAL, args->user_principal, + REALM_DBUS_OPTION_USE_LDAPS, args->use_ldaps ? "True" : "False", args->automatic_id_mapping_set ? REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING : NULL, args->automatic_id_mapping, @@ -310,6 +312,8 @@ realm_join (RealmClient *client, N_("User name to use for enrollment"), NULL }, { "user-principal", 0, 0, G_OPTION_ARG_STRING, &args.user_principal, N_("Set the user principal for the computer account"), NULL }, + { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &args.use_ldaps, + N_("Use ldaps to connect to LDAP"), NULL }, { NULL, } }; diff --git a/tools/realm-leave.c b/tools/realm-leave.c index 45a9c46..c88a110 100644 --- a/tools/realm-leave.c +++ b/tools/realm-leave.c @@ -185,6 +185,7 @@ perform_deconfigure (RealmClient *client, static int perform_user_leave (RealmClient *client, + gboolean use_ldaps, RealmDbusKerberosMembership *membership, const gchar *user_name) { @@ -201,7 +202,8 @@ perform_user_leave (RealmClient *client, return 1; } - options = realm_build_options(NULL, NULL); + options = realm_build_options (REALM_DBUS_OPTION_USE_LDAPS, use_ldaps ? "True" : "False", + NULL); ret = call_leave (membership, credentials, options, &error); if (error != NULL) @@ -213,6 +215,7 @@ perform_user_leave (RealmClient *client, static int perform_leave (RealmClient *client, const gchar *realm_name, + gboolean use_ldaps, gboolean remove, const gchar *user_name, const gchar *client_software, @@ -239,7 +242,8 @@ perform_leave (RealmClient *client, if (!remove) ret = perform_deconfigure (client, realm); else - ret = perform_user_leave (client, membership, user_name); + ret = perform_user_leave (client, use_ldaps, membership, + user_name); g_object_unref (membership); g_object_unref (realm); @@ -259,6 +263,7 @@ realm_leave (RealmClient *client, gchar *arg_server_software = NULL; GError *error = NULL; const gchar *realm_name; + gboolean arg_use_ldaps = FALSE; gint ret = 0; GOptionEntry option_entries[] = { @@ -268,6 +273,7 @@ realm_leave (RealmClient *client, { "server-software", 0, 0, G_OPTION_ARG_STRING, &arg_server_software, N_("Use specific server software"), NULL }, { "user", 'U', 0, G_OPTION_ARG_STRING, &arg_user, N_("User name to use for removal"), NULL }, + { "use-ldaps", 0, 0, G_OPTION_ARG_NONE, &arg_use_ldaps, N_("Use ldaps to connect to LDAP"), NULL }, { NULL, } }; @@ -283,8 +289,9 @@ realm_leave (RealmClient *client, } else { realm_name = argc < 2 ? NULL : argv[1]; - ret = perform_leave (client, realm_name, arg_remove, arg_user, - arg_client_software, arg_server_software); + ret = perform_leave (client, realm_name, arg_use_ldaps, + arg_remove, arg_user, arg_client_software, + arg_server_software); } g_free (arg_user); -- 2.26.2