From a1c732637f1ed984e1ff76fa8179d6fd3aa036fb Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Mon, 18 Nov 2019 17:42:11 +0100

Subject: [PATCH 206/208] param: Do not use weak crypto in ldap server if

 disallowed

Signed-off-by: Andreas Schneider <asn@samba.org>

---

 .../ldap/ldapserverrequirestrongauth.xml           |  5 +++++

 lib/param/loadparm.c                               |  8 ++++++++

 source3/include/proto.h                            |  1 +

 source3/param/loadparm.c                           | 14 +++++++++++++-

 4 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml

index 02bdd811491..e40ac06dfe6 100644

--- a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml

+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml

@@ -2,6 +2,7 @@

                  context="G"

                  type="enum"

                  enumlist="enum_ldap_server_require_strong_auth_vals"

+                 function="_ldap_server_require_strong_auth"

                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">

 <description>

 	<para>

@@ -21,6 +22,10 @@

 	<para>A value of <emphasis>yes</emphasis> allows only simple binds

 	over TLS encrypted connections. Unencrypted connections only

 	allow sasl binds with sign or seal.</para>

+

+	<para>If weak cryptography is not allowed by the system, then this

+	variable will default to <constant>allow_sasl_over_tls</constant>

+	and setting it to <constant>no</constant> will not have any effect.</para>

 </description>

 <value type="default">yes</value>

 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c

index 41a4c110195..b1497f00aaa 100644

--- a/lib/param/loadparm.c

+++ b/lib/param/loadparm.c

@@ -105,6 +105,14 @@ int lpcfg_kerberos_encryption_types(struct loadparm_context *lp_ctx)

 	return lpcfg__kerberos_encryption_types(lp_ctx);

 }

+enum ldap_server_require_strong_auth lpcfg_ldap_server_require_strong_auth(struct loadparm_context *lp_ctx)

+{

+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {

+		return LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;

+	}

+

+	return lpcfg__ldap_server_require_strong_auth(lp_ctx);

+}

 enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx)

 {

diff --git a/source3/include/proto.h b/source3/include/proto.h

index aaa101fc63c..c758c31ea67 100644

--- a/source3/include/proto.h

+++ b/source3/include/proto.h

@@ -756,6 +756,7 @@ int lp_rpc_low_port(void);

 int lp_rpc_high_port(void);

 bool lp_lanman_auth(void);

 int lp_kerberos_encryption_types(void);

+enum ldap_server_require_strong_auth lp_ldap_server_require_strong_auth(void);

 enum samba_weak_crypto lp_weak_crypto(void);

 int lp_wi_scan_global_parametrics(

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c

index e68140ae5f0..da2af1f9f46 100644

--- a/source3/param/loadparm.c

+++ b/source3/param/loadparm.c

@@ -754,7 +754,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)

 	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;

-	Globals.ldap_server_require_strong_auth =

+	Globals._ldap_server_require_strong_auth =

 		LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;

 	/* This is what we tell the afs client. in reality we set the token 

@@ -4688,6 +4688,18 @@ int lp_kerberos_encryption_types(void)

 	return lp__kerberos_encryption_types();

 }

+enum ldap_server_require_strong_auth lp_ldap_server_require_strong_auth(void)

+{

+	enum ldap_server_require_strong_auth a =

+		lp__ldap_server_require_strong_auth();

+

+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {

+		return MAX(a, LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS);

+	}

+

+	return a;

+}

+

 struct loadparm_global * get_globals(void)

 {

 	return &Globals;

-- 

2.23.0