From a1c732637f1ed984e1ff76fa8179d6fd3aa036fb Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 18 Nov 2019 17:42:11 +0100 Subject: [PATCH 206/208] param: Do not use weak crypto in ldap server if disallowed Signed-off-by: Andreas Schneider --- .../ldap/ldapserverrequirestrongauth.xml | 5 +++++ lib/param/loadparm.c | 8 ++++++++ source3/include/proto.h | 1 + source3/param/loadparm.c | 14 +++++++++++++- 4 files changed, 27 insertions(+), 1 deletion(-) diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml index 02bdd811491..e40ac06dfe6 100644 --- a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml +++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml @@ -2,6 +2,7 @@ context="G" type="enum" enumlist="enum_ldap_server_require_strong_auth_vals" + function="_ldap_server_require_strong_auth" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> @@ -21,6 +22,10 @@ A value of yes allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal. + + If weak cryptography is not allowed by the system, then this + variable will default to allow_sasl_over_tls + and setting it to no will not have any effect. yes diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 41a4c110195..b1497f00aaa 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -105,6 +105,14 @@ int lpcfg_kerberos_encryption_types(struct loadparm_context *lp_ctx) return lpcfg__kerberos_encryption_types(lp_ctx); } +enum ldap_server_require_strong_auth lpcfg_ldap_server_require_strong_auth(struct loadparm_context *lp_ctx) +{ + if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { + return LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; + } + + return lpcfg__ldap_server_require_strong_auth(lp_ctx); +} enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx) { diff --git a/source3/include/proto.h b/source3/include/proto.h index aaa101fc63c..c758c31ea67 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -756,6 +756,7 @@ int lp_rpc_low_port(void); int lp_rpc_high_port(void); bool lp_lanman_auth(void); int lp_kerberos_encryption_types(void); +enum ldap_server_require_strong_auth lp_ldap_server_require_strong_auth(void); enum samba_weak_crypto lp_weak_crypto(void); int lp_wi_scan_global_parametrics( diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index e68140ae5f0..da2af1f9f46 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -754,7 +754,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; - Globals.ldap_server_require_strong_auth = + Globals._ldap_server_require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; /* This is what we tell the afs client. in reality we set the token @@ -4688,6 +4688,18 @@ int lp_kerberos_encryption_types(void) return lp__kerberos_encryption_types(); } +enum ldap_server_require_strong_auth lp_ldap_server_require_strong_auth(void) +{ + enum ldap_server_require_strong_auth a = + lp__ldap_server_require_strong_auth(); + + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { + return MAX(a, LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS); + } + + return a; +} + struct loadparm_global * get_globals(void) { return &Globals; -- 2.23.0