From a1c732637f1ed984e1ff76fa8179d6fd3aa036fb Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 18 Nov 2019 17:42:11 +0100
Subject: [PATCH 206/208] param: Do not use weak crypto in ldap server if
 disallowed

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 .../ldap/ldapserverrequirestrongauth.xml           |  5 +++++
 lib/param/loadparm.c                               |  8 ++++++++
 source3/include/proto.h                            |  1 +
 source3/param/loadparm.c                           | 14 +++++++++++++-
 4 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
index 02bdd811491..e40ac06dfe6 100644
--- a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
@@ -2,6 +2,7 @@
                  context="G"
                  type="enum"
                  enumlist="enum_ldap_server_require_strong_auth_vals"
+                 function="_ldap_server_require_strong_auth"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 	<para>
@@ -21,6 +22,10 @@
 	<para>A value of <emphasis>yes</emphasis> allows only simple binds
 	over TLS encrypted connections. Unencrypted connections only
 	allow sasl binds with sign or seal.</para>
+
+	<para>If weak cryptography is not allowed by the system, then this
+	variable will default to <constant>allow_sasl_over_tls</constant>
+	and setting it to <constant>no</constant> will not have any effect.</para>
 </description>
 <value type="default">yes</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 41a4c110195..b1497f00aaa 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -105,6 +105,14 @@ int lpcfg_kerberos_encryption_types(struct loadparm_context *lp_ctx)
 	return lpcfg__kerberos_encryption_types(lp_ctx);
 }
 
+enum ldap_server_require_strong_auth lpcfg_ldap_server_require_strong_auth(struct loadparm_context *lp_ctx)
+{
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		return LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
+	}
+
+	return lpcfg__ldap_server_require_strong_auth(lp_ctx);
+}
 
 enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx)
 {
diff --git a/source3/include/proto.h b/source3/include/proto.h
index aaa101fc63c..c758c31ea67 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -756,6 +756,7 @@ int lp_rpc_low_port(void);
 int lp_rpc_high_port(void);
 bool lp_lanman_auth(void);
 int lp_kerberos_encryption_types(void);
+enum ldap_server_require_strong_auth lp_ldap_server_require_strong_auth(void);
 enum samba_weak_crypto lp_weak_crypto(void);
 
 int lp_wi_scan_global_parametrics(
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index e68140ae5f0..da2af1f9f46 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -754,7 +754,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
 	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
 
-	Globals.ldap_server_require_strong_auth =
+	Globals._ldap_server_require_strong_auth =
 		LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
 
 	/* This is what we tell the afs client. in reality we set the token 
@@ -4688,6 +4688,18 @@ int lp_kerberos_encryption_types(void)
 	return lp__kerberos_encryption_types();
 }
 
+enum ldap_server_require_strong_auth lp_ldap_server_require_strong_auth(void)
+{
+	enum ldap_server_require_strong_auth a =
+		lp__ldap_server_require_strong_auth();
+
+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		return MAX(a, LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS);
+	}
+
+	return a;
+}
+
 struct loadparm_global * get_globals(void)
 {
 	return &Globals;
-- 
2.23.0