|
 |
0d441c |
From da0be382d95f0bdbc6ad5ccb68503456c2ee858b Mon Sep 17 00:00:00 2001
|
|
|
0d441c |
From: Sumit Bose <sbose@redhat.com>
|
|
|
0d441c |
Date: Thu, 26 Sep 2019 20:27:09 +0200
|
|
|
0d441c |
Subject: [PATCH 11/13] ad: add ad_use_ldaps
|
|
|
0d441c |
MIME-Version: 1.0
|
|
|
0d441c |
Content-Type: text/plain; charset=UTF-8
|
|
|
0d441c |
Content-Transfer-Encoding: 8bit
|
|
|
0d441c |
|
|
|
0d441c |
With this new boolean option the AD provider should only use the LDAPS
|
|
|
0d441c |
port 636 and the Global Catalog port 3629 which is TLS protected as
|
|
|
0d441c |
well.
|
|
|
0d441c |
|
|
|
0d441c |
Related to https://pagure.io/SSSD/sssd/issue/4131
|
|
|
0d441c |
|
|
|
0d441c |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
0d441c |
---
|
|
|
0d441c |
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
|
0d441c |
src/config/cfg_rules.ini | 1 +
|
|
|
0d441c |
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
|
|
|
0d441c |
src/man/sssd-ad.5.xml | 20 +++++++++++++++++++
|
|
|
0d441c |
src/providers/ad/ad_common.c | 24 +++++++++++++++++++----
|
|
|
0d441c |
src/providers/ad/ad_common.h | 8 +++++++-
|
|
|
0d441c |
src/providers/ad/ad_init.c | 8 +++++++-
|
|
|
0d441c |
src/providers/ad/ad_opts.c | 1 +
|
|
|
0d441c |
src/providers/ad/ad_srv.c | 16 ++++++++++++---
|
|
|
0d441c |
src/providers/ad/ad_srv.h | 3 ++-
|
|
|
0d441c |
src/providers/ad/ad_subdomains.c | 21 ++++++++++++++++++--
|
|
|
0d441c |
src/providers/ipa/ipa_subdomains_server.c | 4 ++--
|
|
|
0d441c |
12 files changed, 94 insertions(+), 14 deletions(-)
|
|
|
0d441c |
|
|
|
0d441c |
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
|
0d441c |
index eba89b461..84631862a 100644
|
|
|
0d441c |
--- a/src/config/SSSDConfig/__init__.py.in
|
|
|
0d441c |
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
|
0d441c |
@@ -252,6 +252,7 @@ option_strings = {
|
|
|
0d441c |
'ad_site' : _('a particular site to be used by the client'),
|
|
|
0d441c |
'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
|
|
|
0d441c |
'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
|
|
|
0d441c |
+ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
|
|
|
0d441c |
|
|
|
0d441c |
# [provider/krb5]
|
|
|
0d441c |
'krb5_kdcip' : _('Kerberos server address'),
|
|
|
0d441c |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
0d441c |
index c56d5a668..1034a1fd6 100644
|
|
|
0d441c |
--- a/src/config/cfg_rules.ini
|
|
|
0d441c |
+++ b/src/config/cfg_rules.ini
|
|
|
0d441c |
@@ -464,6 +464,7 @@ option = ad_machine_account_password_renewal_opts
|
|
|
0d441c |
option = ad_maximum_machine_account_password_age
|
|
|
0d441c |
option = ad_server
|
|
|
0d441c |
option = ad_site
|
|
|
0d441c |
+option = ad_use_ldaps
|
|
|
0d441c |
|
|
|
0d441c |
# IPA provider specific options
|
|
|
0d441c |
option = ipa_anchor_uuid
|
|
|
0d441c |
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
0d441c |
index aaa0b2345..a2af72603 100644
|
|
|
0d441c |
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
0d441c |
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
0d441c |
@@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false
|
|
|
0d441c |
ad_site = str, None, false
|
|
|
0d441c |
ad_maximum_machine_account_password_age = int, None, false
|
|
|
0d441c |
ad_machine_account_password_renewal_opts = str, None, false
|
|
|
0d441c |
+ad_use_ldaps = bool, None, false
|
|
|
0d441c |
ldap_uri = str, None, false
|
|
|
0d441c |
ldap_backup_uri = str, None, false
|
|
|
0d441c |
ldap_search_base = str, None, false
|
|
|
0d441c |
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
|
|
0d441c |
index fdcb4e4b9..ade56cd6d 100644
|
|
|
0d441c |
--- a/src/man/sssd-ad.5.xml
|
|
|
0d441c |
+++ b/src/man/sssd-ad.5.xml
|
|
|
0d441c |
@@ -1015,6 +1015,26 @@ ad_gpo_map_deny = +my_pam_service
|
|
|
0d441c |
</listitem>
|
|
|
0d441c |
</varlistentry>
|
|
|
0d441c |
|
|
|
0d441c |
+ <varlistentry>
|
|
|
0d441c |
+ <term>ad_use_ldaps (bool)</term>
|
|
|
0d441c |
+ <listitem>
|
|
|
0d441c |
+ <para>
|
|
|
0d441c |
+ By default SSSD uses the plain LDAP port 389 and the
|
|
|
0d441c |
+ Global Catalog port 3628. If this option is set to
|
|
|
0d441c |
+ True SSSD will use the LDAPS port 636 and Global
|
|
|
0d441c |
+ Catalog port 3629 with LDAPS protection. Since AD
|
|
|
0d441c |
+ does not allow to have multiple encryption layers on
|
|
|
0d441c |
+ a single connection and we still want to use
|
|
|
0d441c |
+ SASL/GSSAPI or SASL/GSS-SPNEGO for authentication
|
|
|
0d441c |
+ the SASL security property maxssf is set to 0 (zero)
|
|
|
0d441c |
+ for those connections.
|
|
|
0d441c |
+ </para>
|
|
|
0d441c |
+ <para>
|
|
|
0d441c |
+ Default: False
|
|
|
0d441c |
+ </para>
|
|
|
0d441c |
+ </listitem>
|
|
|
0d441c |
+ </varlistentry>
|
|
|
0d441c |
+
|
|
|
0d441c |
<varlistentry>
|
|
|
0d441c |
<term>dyndns_update (boolean)</term>
|
|
|
0d441c |
<listitem>
|
|
|
0d441c |
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
|
|
0d441c |
index 600e3ceb2..a2369166a 100644
|
|
|
0d441c |
--- a/src/providers/ad/ad_common.c
|
|
|
0d441c |
+++ b/src/providers/ad/ad_common.c
|
|
|
0d441c |
@@ -729,6 +729,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
|
|
|
0d441c |
const char *ad_gc_service,
|
|
|
0d441c |
const char *ad_domain,
|
|
|
0d441c |
bool use_kdcinfo,
|
|
|
0d441c |
+ bool ad_use_ldaps,
|
|
|
0d441c |
size_t n_lookahead_primary,
|
|
|
0d441c |
size_t n_lookahead_backup,
|
|
|
0d441c |
struct ad_service **_service)
|
|
|
0d441c |
@@ -746,6 +747,16 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
|
|
|
0d441c |
goto done;
|
|
|
0d441c |
}
|
|
|
0d441c |
|
|
|
0d441c |
+ if (ad_use_ldaps) {
|
|
|
0d441c |
+ service->ldap_scheme = "ldaps";
|
|
|
0d441c |
+ service->port = LDAPS_PORT;
|
|
|
0d441c |
+ service->gc_port = AD_GC_LDAPS_PORT;
|
|
|
0d441c |
+ } else {
|
|
|
0d441c |
+ service->ldap_scheme = "ldap";
|
|
|
0d441c |
+ service->port = LDAP_PORT;
|
|
|
0d441c |
+ service->gc_port = AD_GC_PORT;
|
|
|
0d441c |
+ }
|
|
|
0d441c |
+
|
|
|
0d441c |
service->sdap = talloc_zero(service, struct sdap_service);
|
|
|
0d441c |
service->gc = talloc_zero(service, struct sdap_service);
|
|
|
0d441c |
if (!service->sdap || !service->gc) {
|
|
|
0d441c |
@@ -927,7 +938,8 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
|
|
0d441c |
goto done;
|
|
|
0d441c |
}
|
|
|
0d441c |
|
|
|
0d441c |
- new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);
|
|
|
0d441c |
+ new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme,
|
|
|
0d441c |
+ srv_name);
|
|
|
0d441c |
if (!new_uri) {
|
|
|
0d441c |
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");
|
|
|
0d441c |
ret = ENOMEM;
|
|
|
0d441c |
@@ -935,7 +947,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
|
|
0d441c |
}
|
|
|
0d441c |
DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);
|
|
|
0d441c |
|
|
|
0d441c |
- sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
|
|
|
0d441c |
+ sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port);
|
|
|
0d441c |
if (sockaddr == NULL) {
|
|
|
0d441c |
DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
|
|
|
0d441c |
ret = EIO;
|
|
|
0d441c |
@@ -951,8 +963,12 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
|
|
0d441c |
talloc_zfree(service->gc->uri);
|
|
|
0d441c |
talloc_zfree(service->gc->sockaddr);
|
|
|
0d441c |
if (sdata && sdata->gc) {
|
|
|
0d441c |
- new_port = fo_get_server_port(server);
|
|
|
0d441c |
- new_port = (new_port == 0) ? AD_GC_PORT : new_port;
|
|
|
0d441c |
+ if (service->gc_port == AD_GC_LDAPS_PORT) {
|
|
|
0d441c |
+ new_port = service->gc_port;
|
|
|
0d441c |
+ } else {
|
|
|
0d441c |
+ new_port = fo_get_server_port(server);
|
|
|
0d441c |
+ new_port = (new_port == 0) ? service->gc_port : new_port;
|
|
|
0d441c |
+ }
|
|
|
0d441c |
|
|
|
0d441c |
service->gc->uri = talloc_asprintf(service->gc, "%s:%d",
|
|
|
0d441c |
new_uri, new_port);
|
|
|
0d441c |
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
|
|
0d441c |
index 75f11de2e..820e06124 100644
|
|
|
0d441c |
--- a/src/providers/ad/ad_common.h
|
|
|
0d441c |
+++ b/src/providers/ad/ad_common.h
|
|
|
0d441c |
@@ -29,7 +29,8 @@
|
|
|
0d441c |
#define AD_SERVICE_NAME "AD"
|
|
|
0d441c |
#define AD_GC_SERVICE_NAME "AD_GC"
|
|
|
0d441c |
/* The port the Global Catalog runs on */
|
|
|
0d441c |
-#define AD_GC_PORT 3268
|
|
|
0d441c |
+#define AD_GC_PORT 3268
|
|
|
0d441c |
+#define AD_GC_LDAPS_PORT 3269
|
|
|
0d441c |
|
|
|
0d441c |
#define AD_AT_OBJECT_SID "objectSID"
|
|
|
0d441c |
#define AD_AT_DNS_DOMAIN "DnsDomain"
|
|
|
0d441c |
@@ -67,6 +68,7 @@ enum ad_basic_opt {
|
|
|
0d441c |
AD_KRB5_CONFD_PATH,
|
|
|
0d441c |
AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
|
|
|
0d441c |
AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
|
|
|
0d441c |
+ AD_USE_LDAPS,
|
|
|
0d441c |
|
|
|
0d441c |
AD_OPTS_BASIC /* opts counter */
|
|
|
0d441c |
};
|
|
|
0d441c |
@@ -82,6 +84,9 @@ struct ad_service {
|
|
|
0d441c |
struct sdap_service *sdap;
|
|
|
0d441c |
struct sdap_service *gc;
|
|
|
0d441c |
struct krb5_service *krb5_service;
|
|
|
0d441c |
+ const char *ldap_scheme;
|
|
|
0d441c |
+ int port;
|
|
|
0d441c |
+ int gc_port;
|
|
|
0d441c |
};
|
|
|
0d441c |
|
|
|
0d441c |
struct ad_options {
|
|
|
0d441c |
@@ -147,6 +152,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx,
|
|
|
0d441c |
const char *ad_gc_service,
|
|
|
0d441c |
const char *ad_domain,
|
|
|
0d441c |
bool use_kdcinfo,
|
|
|
0d441c |
+ bool ad_use_ldaps,
|
|
|
0d441c |
size_t n_lookahead_primary,
|
|
|
0d441c |
size_t n_lookahead_backup,
|
|
|
0d441c |
struct ad_service **_service);
|
|
|
0d441c |
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
|
|
|
0d441c |
index 290d5b5c1..2b4b9e2e7 100644
|
|
|
0d441c |
--- a/src/providers/ad/ad_init.c
|
|
|
0d441c |
+++ b/src/providers/ad/ad_init.c
|
|
|
0d441c |
@@ -138,6 +138,7 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
|
|
|
0d441c |
char *ad_servers = NULL;
|
|
|
0d441c |
char *ad_backup_servers = NULL;
|
|
|
0d441c |
char *ad_realm;
|
|
|
0d441c |
+ bool ad_use_ldaps = false;
|
|
|
0d441c |
errno_t ret;
|
|
|
0d441c |
|
|
|
0d441c |
ad_sasl_initialize();
|
|
|
0d441c |
@@ -154,12 +155,14 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
|
|
|
0d441c |
ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
|
|
|
0d441c |
ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
|
|
|
0d441c |
ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
|
|
|
0d441c |
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
|
|
0d441c |
|
|
|
0d441c |
/* Set up the failover service */
|
|
|
0d441c |
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
|
|
|
0d441c |
ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
|
|
|
0d441c |
dp_opt_get_string(ad_options->basic, AD_DOMAIN),
|
|
|
0d441c |
false, /* will be set in ad_get_auth_options() */
|
|
|
0d441c |
+ ad_use_ldaps,
|
|
|
0d441c |
(size_t) -1,
|
|
|
0d441c |
(size_t) -1,
|
|
|
0d441c |
&ad_options->service);
|
|
|
0d441c |
@@ -184,11 +187,13 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
|
|
|
0d441c |
const char *ad_site_override;
|
|
|
0d441c |
bool sites_enabled;
|
|
|
0d441c |
errno_t ret;
|
|
|
0d441c |
+ bool ad_use_ldaps;
|
|
|
0d441c |
|
|
|
0d441c |
hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
|
|
|
0d441c |
ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
|
|
|
0d441c |
ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
|
|
|
0d441c |
sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);
|
|
|
0d441c |
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
|
|
0d441c |
|
|
|
0d441c |
|
|
|
0d441c |
if (!sites_enabled) {
|
|
|
0d441c |
@@ -205,7 +210,8 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
|
|
|
0d441c |
srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
|
|
|
0d441c |
default_host_dbs, ad_options->id,
|
|
|
0d441c |
hostname, ad_domain,
|
|
|
0d441c |
- ad_site_override);
|
|
|
0d441c |
+ ad_site_override,
|
|
|
0d441c |
+ ad_use_ldaps);
|
|
|
0d441c |
if (srv_ctx == NULL) {
|
|
|
0d441c |
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
|
|
0d441c |
return ENOMEM;
|
|
|
0d441c |
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
|
|
0d441c |
index 1293219ee..30f9b62fd 100644
|
|
|
0d441c |
--- a/src/providers/ad/ad_opts.c
|
|
|
0d441c |
+++ b/src/providers/ad/ad_opts.c
|
|
|
0d441c |
@@ -54,6 +54,7 @@ struct dp_option ad_basic_opts[] = {
|
|
|
0d441c |
{ "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
|
|
|
0d441c |
{ "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
|
|
|
0d441c |
{ "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
|
|
|
0d441c |
+ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
|
0d441c |
DP_OPTION_TERMINATOR
|
|
|
0d441c |
};
|
|
|
0d441c |
|
|
|
0d441c |
diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c
|
|
|
0d441c |
index 5fd25f60e..ca15d3715 100644
|
|
|
0d441c |
--- a/src/providers/ad/ad_srv.c
|
|
|
0d441c |
+++ b/src/providers/ad/ad_srv.c
|
|
|
0d441c |
@@ -244,6 +244,7 @@ struct ad_get_client_site_state {
|
|
|
0d441c |
enum host_database *host_db;
|
|
|
0d441c |
struct sdap_options *opts;
|
|
|
0d441c |
const char *ad_domain;
|
|
|
0d441c |
+ bool ad_use_ldaps;
|
|
|
0d441c |
struct fo_server_info *dcs;
|
|
|
0d441c |
size_t num_dcs;
|
|
|
0d441c |
size_t dc_index;
|
|
|
0d441c |
@@ -264,6 +265,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
|
|
|
0d441c |
enum host_database *host_db,
|
|
|
0d441c |
struct sdap_options *opts,
|
|
|
0d441c |
const char *ad_domain,
|
|
|
0d441c |
+ bool ad_use_ldaps,
|
|
|
0d441c |
struct fo_server_info *dcs,
|
|
|
0d441c |
size_t num_dcs)
|
|
|
0d441c |
{
|
|
|
0d441c |
@@ -288,6 +290,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
|
|
|
0d441c |
state->host_db = host_db;
|
|
|
0d441c |
state->opts = opts;
|
|
|
0d441c |
state->ad_domain = ad_domain;
|
|
|
0d441c |
+ state->ad_use_ldaps = ad_use_ldaps;
|
|
|
0d441c |
state->dcs = dcs;
|
|
|
0d441c |
state->num_dcs = num_dcs;
|
|
|
0d441c |
|
|
|
0d441c |
@@ -331,8 +334,11 @@ static errno_t ad_get_client_site_next_dc(struct tevent_req *req)
|
|
|
0d441c |
subreq = sdap_connect_host_send(state, state->ev, state->opts,
|
|
|
0d441c |
state->be_res->resolv,
|
|
|
0d441c |
state->be_res->family_order,
|
|
|
0d441c |
- state->host_db, "ldap", state->dc.host,
|
|
|
0d441c |
- state->dc.port, false);
|
|
|
0d441c |
+ state->host_db,
|
|
|
0d441c |
+ state->ad_use_ldaps ? "ldaps" : "ldap",
|
|
|
0d441c |
+ state->dc.host,
|
|
|
0d441c |
+ state->ad_use_ldaps ? 636 : state->dc.port,
|
|
|
0d441c |
+ false);
|
|
|
0d441c |
if (subreq == NULL) {
|
|
|
0d441c |
ret = ENOMEM;
|
|
|
0d441c |
goto done;
|
|
|
0d441c |
@@ -491,6 +497,7 @@ struct ad_srv_plugin_ctx {
|
|
|
0d441c |
const char *ad_domain;
|
|
|
0d441c |
const char *ad_site_override;
|
|
|
0d441c |
const char *current_site;
|
|
|
0d441c |
+ bool ad_use_ldaps;
|
|
|
0d441c |
};
|
|
|
0d441c |
|
|
|
0d441c |
struct ad_srv_plugin_ctx *
|
|
|
0d441c |
@@ -501,7 +508,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
|
|
0d441c |
struct sdap_options *opts,
|
|
|
0d441c |
const char *hostname,
|
|
|
0d441c |
const char *ad_domain,
|
|
|
0d441c |
- const char *ad_site_override)
|
|
|
0d441c |
+ const char *ad_site_override,
|
|
|
0d441c |
+ bool ad_use_ldaps)
|
|
|
0d441c |
{
|
|
|
0d441c |
struct ad_srv_plugin_ctx *ctx = NULL;
|
|
|
0d441c |
errno_t ret;
|
|
|
0d441c |
@@ -515,6 +523,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
|
|
0d441c |
ctx->be_res = be_res;
|
|
|
0d441c |
ctx->host_dbs = host_dbs;
|
|
|
0d441c |
ctx->opts = opts;
|
|
|
0d441c |
+ ctx->ad_use_ldaps = ad_use_ldaps;
|
|
|
0d441c |
|
|
|
0d441c |
ctx->hostname = talloc_strdup(ctx, hostname);
|
|
|
0d441c |
if (ctx->hostname == NULL) {
|
|
|
0d441c |
@@ -714,6 +723,7 @@ static void ad_srv_plugin_dcs_done(struct tevent_req *subreq)
|
|
|
0d441c |
state->ctx->host_dbs,
|
|
|
0d441c |
state->ctx->opts,
|
|
|
0d441c |
state->discovery_domain,
|
|
|
0d441c |
+ state->ctx->ad_use_ldaps,
|
|
|
0d441c |
dcs, num_dcs);
|
|
|
0d441c |
if (subreq == NULL) {
|
|
|
0d441c |
ret = ENOMEM;
|
|
|
0d441c |
diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h
|
|
|
0d441c |
index e553d594d..8e410ec26 100644
|
|
|
0d441c |
--- a/src/providers/ad/ad_srv.h
|
|
|
0d441c |
+++ b/src/providers/ad/ad_srv.h
|
|
|
0d441c |
@@ -31,7 +31,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
|
|
0d441c |
struct sdap_options *opts,
|
|
|
0d441c |
const char *hostname,
|
|
|
0d441c |
const char *ad_domain,
|
|
|
0d441c |
- const char *ad_site_override);
|
|
|
0d441c |
+ const char *ad_site_override,
|
|
|
0d441c |
+ bool ad_use_ldaps);
|
|
|
0d441c |
|
|
|
0d441c |
struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,
|
|
|
0d441c |
struct tevent_context *ev,
|
|
|
0d441c |
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
|
0d441c |
index 2ce34489f..d8c201437 100644
|
|
|
0d441c |
--- a/src/providers/ad/ad_subdomains.c
|
|
|
0d441c |
+++ b/src/providers/ad/ad_subdomains.c
|
|
|
0d441c |
@@ -282,6 +282,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
0d441c |
bool use_kdcinfo = false;
|
|
|
0d441c |
size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT;
|
|
|
0d441c |
size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT;
|
|
|
0d441c |
+ bool ad_use_ldaps = false;
|
|
|
0d441c |
|
|
|
0d441c |
realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
|
|
|
0d441c |
hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
|
|
|
0d441c |
@@ -312,6 +313,21 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
0d441c |
return ENOMEM;
|
|
|
0d441c |
}
|
|
|
0d441c |
|
|
|
0d441c |
+ ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic,
|
|
|
0d441c |
+ ad_options->basic,
|
|
|
0d441c |
+ be_ctx->cdb, subdom_conf_path,
|
|
|
0d441c |
+ AD_USE_LDAPS);
|
|
|
0d441c |
+ if (ret != EOK) {
|
|
|
0d441c |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
0d441c |
+ "Failed to inherit option [%s] to sub-domain [%s]. "
|
|
|
0d441c |
+ "This error is ignored but might cause issues or unexpected "
|
|
|
0d441c |
+ "behavior later on.\n",
|
|
|
0d441c |
+ id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name,
|
|
|
0d441c |
+ subdom->name);
|
|
|
0d441c |
+
|
|
|
0d441c |
+ return ret;
|
|
|
0d441c |
+ }
|
|
|
0d441c |
+
|
|
|
0d441c |
ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
|
|
|
0d441c |
ad_options->id->basic,
|
|
|
0d441c |
be_ctx->cdb, subdom_conf_path,
|
|
|
0d441c |
@@ -344,6 +360,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
0d441c |
|
|
|
0d441c |
servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
|
|
|
0d441c |
backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
|
|
|
0d441c |
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
|
|
0d441c |
|
|
|
0d441c |
if (id_ctx->ad_options->auth_ctx != NULL
|
|
|
0d441c |
&& id_ctx->ad_options->auth_ctx->opts != NULL) {
|
|
|
0d441c |
@@ -362,7 +379,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
0d441c |
|
|
|
0d441c |
ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers,
|
|
|
0d441c |
subdom->realm, service_name, gc_service_name,
|
|
|
0d441c |
- subdom->name, use_kdcinfo,
|
|
|
0d441c |
+ subdom->name, use_kdcinfo, ad_use_ldaps,
|
|
|
0d441c |
n_lookahead_primary,
|
|
|
0d441c |
n_lookahead_backup,
|
|
|
0d441c |
&ad_options->service);
|
|
|
0d441c |
@@ -386,7 +403,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
0d441c |
ad_id_ctx->ad_options->id,
|
|
|
0d441c |
hostname,
|
|
|
0d441c |
ad_domain,
|
|
|
0d441c |
- ad_site_override);
|
|
|
0d441c |
+ ad_site_override, ad_use_ldaps);
|
|
|
0d441c |
if (srv_ctx == NULL) {
|
|
|
0d441c |
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
|
|
0d441c |
return ENOMEM;
|
|
|
0d441c |
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
0d441c |
index fd998877b..9aebf72a5 100644
|
|
|
0d441c |
--- a/src/providers/ipa/ipa_subdomains_server.c
|
|
|
0d441c |
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
0d441c |
@@ -319,7 +319,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
0d441c |
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
|
|
|
0d441c |
subdom->realm,
|
|
|
0d441c |
service_name, gc_service_name,
|
|
|
0d441c |
- subdom->name, use_kdcinfo,
|
|
|
0d441c |
+ subdom->name, use_kdcinfo, false,
|
|
|
0d441c |
n_lookahead_primary, n_lookahead_backup,
|
|
|
0d441c |
&ad_options->service);
|
|
|
0d441c |
if (ret != EOK) {
|
|
|
0d441c |
@@ -344,7 +344,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
0d441c |
ad_id_ctx->ad_options->id,
|
|
|
0d441c |
id_ctx->server_mode->hostname,
|
|
|
0d441c |
ad_domain,
|
|
|
0d441c |
- ad_site_override);
|
|
|
0d441c |
+ ad_site_override, false);
|
|
|
0d441c |
if (srv_ctx == NULL) {
|
|
|
0d441c |
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
|
|
0d441c |
return ENOMEM;
|
|
|
0d441c |
--
|
|
|
0d441c |
2.20.1
|
|
|
0d441c |
|