From da0be382d95f0bdbc6ad5ccb68503456c2ee858b Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Thu, 26 Sep 2019 20:27:09 +0200

Subject: [PATCH 11/13] ad: add ad_use_ldaps

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

With this new boolean option the AD provider should only use the LDAPS

port 636 and the Global Catalog port 3629 which is TLS protected as

well.

Related to https://pagure.io/SSSD/sssd/issue/4131

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

 src/config/SSSDConfig/__init__.py.in      |  1 +

 src/config/cfg_rules.ini                  |  1 +

 src/config/etc/sssd.api.d/sssd-ad.conf    |  1 +

 src/man/sssd-ad.5.xml                     | 20 +++++++++++++++++++

 src/providers/ad/ad_common.c              | 24 +++++++++++++++++++----

 src/providers/ad/ad_common.h              |  8 +++++++-

 src/providers/ad/ad_init.c                |  8 +++++++-

 src/providers/ad/ad_opts.c                |  1 +

 src/providers/ad/ad_srv.c                 | 16 ++++++++++++---

 src/providers/ad/ad_srv.h                 |  3 ++-

 src/providers/ad/ad_subdomains.c          | 21 ++++++++++++++++++--

 src/providers/ipa/ipa_subdomains_server.c |  4 ++--

 12 files changed, 94 insertions(+), 14 deletions(-)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in

index eba89b461..84631862a 100644

--- a/src/config/SSSDConfig/__init__.py.in

+++ b/src/config/SSSDConfig/__init__.py.in

@@ -252,6 +252,7 @@ option_strings = {

     'ad_site' : _('a particular site to be used by the client'),

     'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),

     'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),

+    'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),

     # [provider/krb5]

     'krb5_kdcip' : _('Kerberos server address'),

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini

index c56d5a668..1034a1fd6 100644

--- a/src/config/cfg_rules.ini

+++ b/src/config/cfg_rules.ini

@@ -464,6 +464,7 @@ option = ad_machine_account_password_renewal_opts

 option = ad_maximum_machine_account_password_age

 option = ad_server

 option = ad_site

+option = ad_use_ldaps

 # IPA provider specific options

 option = ipa_anchor_uuid

diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf

index aaa0b2345..a2af72603 100644

--- a/src/config/etc/sssd.api.d/sssd-ad.conf

+++ b/src/config/etc/sssd.api.d/sssd-ad.conf

@@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false

 ad_site = str, None, false

 ad_maximum_machine_account_password_age = int, None, false

 ad_machine_account_password_renewal_opts = str, None, false

+ad_use_ldaps = bool, None, false

 ldap_uri = str, None, false

 ldap_backup_uri = str, None, false

 ldap_search_base = str, None, false

diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml

index fdcb4e4b9..ade56cd6d 100644

--- a/src/man/sssd-ad.5.xml

+++ b/src/man/sssd-ad.5.xml

@@ -1015,6 +1015,26 @@ ad_gpo_map_deny = +my_pam_service

                     </listitem>

                 </varlistentry>

+                <varlistentry>

+                   <term>ad_use_ldaps (bool)</term>

+                    <listitem>

+                        <para>

+                            By default SSSD uses the plain LDAP port 389 and the

+                            Global Catalog port 3628. If this option is set to

+                            True SSSD will use the LDAPS port 636 and Global

+                            Catalog port 3629 with LDAPS protection. Since AD

+                            does not allow to have multiple encryption layers on

+                            a single connection and we still want to use

+                            SASL/GSSAPI or SASL/GSS-SPNEGO for authentication

+                            the SASL security property maxssf is set to 0 (zero)

+                            for those connections.

+                        </para>

+                        <para>

+                            Default: False

+                        </para>

+                    </listitem>

+                </varlistentry>

+

                 <varlistentry>

                     <term>dyndns_update (boolean)</term>

                     <listitem>

diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c

index 600e3ceb2..a2369166a 100644

--- a/src/providers/ad/ad_common.c

+++ b/src/providers/ad/ad_common.c

@@ -729,6 +729,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,

                  const char *ad_gc_service,

                  const char *ad_domain,

                  bool use_kdcinfo,

+                 bool ad_use_ldaps,

                  size_t n_lookahead_primary,

                  size_t n_lookahead_backup,

                  struct ad_service **_service)

@@ -746,6 +747,16 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,

         goto done;

     }

+    if (ad_use_ldaps) {

+        service->ldap_scheme = "ldaps";

+        service->port = LDAPS_PORT;

+        service->gc_port = AD_GC_LDAPS_PORT;

+    } else {

+        service->ldap_scheme = "ldap";

+        service->port = LDAP_PORT;

+        service->gc_port = AD_GC_PORT;

+    }

+

     service->sdap = talloc_zero(service, struct sdap_service);

     service->gc = talloc_zero(service, struct sdap_service);

     if (!service->sdap || !service->gc) {

@@ -927,7 +938,8 @@ ad_resolve_callback(void *private_data, struct fo_server *server)

         goto done;

     }

-    new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);

+    new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme,

+                                                        srv_name);

     if (!new_uri) {

         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");

         ret = ENOMEM;

@@ -935,7 +947,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)

     }

     DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);

-    sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);

+    sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port);

     if (sockaddr == NULL) {

         DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");

         ret = EIO;

@@ -951,8 +963,12 @@ ad_resolve_callback(void *private_data, struct fo_server *server)

     talloc_zfree(service->gc->uri);

     talloc_zfree(service->gc->sockaddr);

     if (sdata && sdata->gc) {

-        new_port = fo_get_server_port(server);

-        new_port = (new_port == 0) ? AD_GC_PORT : new_port;

+        if (service->gc_port == AD_GC_LDAPS_PORT) {

+            new_port = service->gc_port;

+        } else {

+            new_port = fo_get_server_port(server);

+            new_port = (new_port == 0) ? service->gc_port : new_port;

+        }

         service->gc->uri = talloc_asprintf(service->gc, "%s:%d",

                                            new_uri, new_port);

diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h

index 75f11de2e..820e06124 100644

--- a/src/providers/ad/ad_common.h

+++ b/src/providers/ad/ad_common.h

@@ -29,7 +29,8 @@

 #define AD_SERVICE_NAME    "AD"

 #define AD_GC_SERVICE_NAME "AD_GC"

 /* The port the Global Catalog runs on */

-#define AD_GC_PORT      3268

+#define AD_GC_PORT         3268

+#define AD_GC_LDAPS_PORT   3269

 #define AD_AT_OBJECT_SID "objectSID"

 #define AD_AT_DNS_DOMAIN "DnsDomain"

@@ -67,6 +68,7 @@ enum ad_basic_opt {

     AD_KRB5_CONFD_PATH,

     AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,

     AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,

+    AD_USE_LDAPS,

     AD_OPTS_BASIC /* opts counter */

 };

@@ -82,6 +84,9 @@ struct ad_service {

     struct sdap_service *sdap;

     struct sdap_service *gc;

     struct krb5_service *krb5_service;

+    const char *ldap_scheme;

+    int port;

+    int gc_port;

 };

 struct ad_options {

@@ -147,6 +152,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx,

                  const char *ad_gc_service,

                  const char *ad_domain,

                  bool use_kdcinfo,

+                 bool ad_use_ldaps,

                  size_t n_lookahead_primary,

                  size_t n_lookahead_backup,

                  struct ad_service **_service);

diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c

index 290d5b5c1..2b4b9e2e7 100644

--- a/src/providers/ad/ad_init.c

+++ b/src/providers/ad/ad_init.c

@@ -138,6 +138,7 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,

     char *ad_servers = NULL;

     char *ad_backup_servers = NULL;

     char *ad_realm;

+    bool ad_use_ldaps = false;

     errno_t ret;

     ad_sasl_initialize();

@@ -154,12 +155,14 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,

     ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);

     ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);

     ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);

+    ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);

     /* Set up the failover service */

     ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,

                            ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,

                            dp_opt_get_string(ad_options->basic, AD_DOMAIN),

                            false, /* will be set in ad_get_auth_options() */

+                           ad_use_ldaps,

                            (size_t) -1,

                            (size_t) -1,

                            &ad_options->service);

@@ -184,11 +187,13 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,

     const char *ad_site_override;

     bool sites_enabled;

     errno_t ret;

+    bool ad_use_ldaps;

     hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);

     ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);

     ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);

     sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);

+    ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);

     if (!sites_enabled) {

@@ -205,7 +210,8 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,

     srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,

                                      default_host_dbs, ad_options->id,

                                      hostname, ad_domain,

-                                     ad_site_override);

+                                     ad_site_override,

+                                     ad_use_ldaps);

     if (srv_ctx == NULL) {

         DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");

         return ENOMEM;

diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c

index 1293219ee..30f9b62fd 100644

--- a/src/providers/ad/ad_opts.c

+++ b/src/providers/ad/ad_opts.c

@@ -54,6 +54,7 @@ struct dp_option ad_basic_opts[] = {

     { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },

     { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },

     { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },

+    { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },

     DP_OPTION_TERMINATOR

 };

diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c

index 5fd25f60e..ca15d3715 100644

--- a/src/providers/ad/ad_srv.c

+++ b/src/providers/ad/ad_srv.c

@@ -244,6 +244,7 @@ struct ad_get_client_site_state {

     enum host_database *host_db;

     struct sdap_options *opts;

     const char *ad_domain;

+    bool ad_use_ldaps;

     struct fo_server_info *dcs;

     size_t num_dcs;

     size_t dc_index;

@@ -264,6 +265,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,

                                            enum host_database *host_db,

                                            struct sdap_options *opts,

                                            const char *ad_domain,

+                                           bool ad_use_ldaps,

                                            struct fo_server_info *dcs,

                                            size_t num_dcs)

 {

@@ -288,6 +290,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,

     state->host_db = host_db;

     state->opts = opts;

     state->ad_domain = ad_domain;

+    state->ad_use_ldaps = ad_use_ldaps;

     state->dcs = dcs;

     state->num_dcs = num_dcs;

@@ -331,8 +334,11 @@ static errno_t ad_get_client_site_next_dc(struct tevent_req *req)

     subreq = sdap_connect_host_send(state, state->ev, state->opts,

                                     state->be_res->resolv,

                                     state->be_res->family_order,

-                                    state->host_db, "ldap", state->dc.host,

-                                    state->dc.port, false);

+                                    state->host_db,

+                                    state->ad_use_ldaps ? "ldaps" : "ldap",

+                                    state->dc.host,

+                                    state->ad_use_ldaps ? 636 : state->dc.port,

+                                    false);

     if (subreq == NULL) {

         ret = ENOMEM;

         goto done;

@@ -491,6 +497,7 @@ struct ad_srv_plugin_ctx {

     const char *ad_domain;

     const char *ad_site_override;

     const char *current_site;

+    bool ad_use_ldaps;

 };

 struct ad_srv_plugin_ctx *

@@ -501,7 +508,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,

                        struct sdap_options *opts,

                        const char *hostname,

                        const char *ad_domain,

-                       const char *ad_site_override)

+                       const char *ad_site_override,

+                       bool ad_use_ldaps)

 {

     struct ad_srv_plugin_ctx *ctx = NULL;

     errno_t ret;

@@ -515,6 +523,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,

     ctx->be_res = be_res;

     ctx->host_dbs = host_dbs;

     ctx->opts = opts;

+    ctx->ad_use_ldaps = ad_use_ldaps;

     ctx->hostname = talloc_strdup(ctx, hostname);

     if (ctx->hostname == NULL) {

@@ -714,6 +723,7 @@ static void ad_srv_plugin_dcs_done(struct tevent_req *subreq)

                                      state->ctx->host_dbs,

                                      state->ctx->opts,

                                      state->discovery_domain,

+                                     state->ctx->ad_use_ldaps,

                                      dcs, num_dcs);

     if (subreq == NULL) {

         ret = ENOMEM;

diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h

index e553d594d..8e410ec26 100644

--- a/src/providers/ad/ad_srv.h

+++ b/src/providers/ad/ad_srv.h

@@ -31,7 +31,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,

                        struct sdap_options *opts,

                        const char *hostname,

                        const char *ad_domain,

-                       const char *ad_site_override);

+                       const char *ad_site_override,

+                       bool ad_use_ldaps);

 struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,

                                        struct tevent_context *ev,

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c

index 2ce34489f..d8c201437 100644

--- a/src/providers/ad/ad_subdomains.c

+++ b/src/providers/ad/ad_subdomains.c

@@ -282,6 +282,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,

     bool use_kdcinfo = false;

     size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT;

     size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT;

+    bool ad_use_ldaps = false;

     realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);

     hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);

@@ -312,6 +313,21 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,

         return ENOMEM;

     }

+    ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic,

+                                    ad_options->basic,

+                                    be_ctx->cdb, subdom_conf_path,

+                                    AD_USE_LDAPS);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Failed to inherit option [%s] to sub-domain [%s]. "

+              "This error is ignored but might cause issues or unexpected "

+              "behavior later on.\n",

+              id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name,

+              subdom->name);

+

+        return ret;

+    }

+

     ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,

                                     ad_options->id->basic,

                                     be_ctx->cdb, subdom_conf_path,

@@ -344,6 +360,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,

     servers = dp_opt_get_string(ad_options->basic, AD_SERVER);

     backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);

+    ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);

     if (id_ctx->ad_options->auth_ctx != NULL

             && id_ctx->ad_options->auth_ctx->opts != NULL) {

@@ -362,7 +379,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,

     ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers,

                            subdom->realm, service_name, gc_service_name,

-                           subdom->name, use_kdcinfo,

+                           subdom->name, use_kdcinfo, ad_use_ldaps,

                            n_lookahead_primary,

                            n_lookahead_backup,

                            &ad_options->service);

@@ -386,7 +403,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,

                                      ad_id_ctx->ad_options->id,

                                      hostname,

                                      ad_domain,

-                                     ad_site_override);

+                                     ad_site_override, ad_use_ldaps);

     if (srv_ctx == NULL) {

         DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");

         return ENOMEM;

diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c

index fd998877b..9aebf72a5 100644

--- a/src/providers/ipa/ipa_subdomains_server.c

+++ b/src/providers/ipa/ipa_subdomains_server.c

@@ -319,7 +319,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,

     ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,

                            subdom->realm,

                            service_name, gc_service_name,

-                           subdom->name, use_kdcinfo,

+                           subdom->name, use_kdcinfo, false,

                            n_lookahead_primary, n_lookahead_backup,

                            &ad_options->service);

     if (ret != EOK) {

@@ -344,7 +344,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,

                                      ad_id_ctx->ad_options->id,

                                      id_ctx->server_mode->hostname,

                                      ad_domain,

-                                     ad_site_override);

+                                     ad_site_override, false);

     if (srv_ctx == NULL) {

         DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");

         return ENOMEM;

-- 

2.20.1