|
|
ced1f5 |
From 7ebfab326f94e508ce2910c7242a8dd7652ec8a2 Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
|
ced1f5 |
Date: Wed, 25 Oct 2017 11:25:09 +0200
|
|
|
ced1f5 |
Subject: [PATCH 21/21] LDAP: Bind to the LDAP server also in the auth
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
When dealing with id_provider not being the same as auth_provider, SSSD
|
|
|
ced1f5 |
has to bind the DN of the user which wants to authenticate with the
|
|
|
ced1f5 |
ldap_default_bind_dn and the password provided by the user.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
In order to do so, the least intrusive way is just by replacing
|
|
|
ced1f5 |
sdap_connect*() functions by sdap_cli_connect*() functions in the LDAP's
|
|
|
ced1f5 |
auth module.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
The simple change also allowed us to remove some code that is already
|
|
|
ced1f5 |
executed as part of sdap_cli_connect*() and some functions had their
|
|
|
ced1f5 |
names adapted to reflect better their new purpose.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Resolves:
|
|
|
ced1f5 |
https://pagure.io/SSSD/sssd/issue/3451
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ced1f5 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit add72860c7a7a2c418f4d8b6790b5caeaf7dfb7b)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/providers/ldap/ldap_auth.c | 114 +++++++++--------------------------------
|
|
|
ced1f5 |
1 file changed, 25 insertions(+), 89 deletions(-)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
|
|
ced1f5 |
index 00ddd889b6294e457c13218491547b84f1468266..a3b1480aae4272d2e10f105a1eaf3a5816c3487c 100644
|
|
|
ced1f5 |
--- a/src/providers/ldap/ldap_auth.c
|
|
|
ced1f5 |
+++ b/src/providers/ldap/ldap_auth.c
|
|
|
ced1f5 |
@@ -619,14 +619,11 @@ struct auth_state {
|
|
|
ced1f5 |
char *dn;
|
|
|
ced1f5 |
enum pwexpire pw_expire_type;
|
|
|
ced1f5 |
void *pw_expire_data;
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- struct fo_server *srv;
|
|
|
ced1f5 |
};
|
|
|
ced1f5 |
|
|
|
ced1f5 |
-static struct tevent_req *auth_get_server(struct tevent_req *req);
|
|
|
ced1f5 |
+static struct tevent_req *auth_connect_send(struct tevent_req *req);
|
|
|
ced1f5 |
static void auth_get_dn_done(struct tevent_req *subreq);
|
|
|
ced1f5 |
static void auth_do_bind(struct tevent_req *req);
|
|
|
ced1f5 |
-static void auth_resolve_done(struct tevent_req *subreq);
|
|
|
ced1f5 |
static void auth_connect_done(struct tevent_req *subreq);
|
|
|
ced1f5 |
static void auth_bind_user_done(struct tevent_req *subreq);
|
|
|
ced1f5 |
|
|
|
ced1f5 |
@@ -659,7 +656,6 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
|
|
|
ced1f5 |
state->ctx = ctx;
|
|
|
ced1f5 |
state->username = username;
|
|
|
ced1f5 |
state->authtok = authtok;
|
|
|
ced1f5 |
- state->srv = NULL;
|
|
|
ced1f5 |
if (try_chpass_service && ctx->chpass_service != NULL &&
|
|
|
ced1f5 |
ctx->chpass_service->name != NULL) {
|
|
|
ced1f5 |
state->sdap_service = ctx->chpass_service;
|
|
|
ced1f5 |
@@ -667,7 +663,7 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
|
|
|
ced1f5 |
state->sdap_service = ctx->service;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- if (!auth_get_server(req)) goto fail;
|
|
|
ced1f5 |
+ if (!auth_connect_send(req)) goto fail;
|
|
|
ced1f5 |
|
|
|
ced1f5 |
return req;
|
|
|
ced1f5 |
|
|
|
ced1f5 |
@@ -676,75 +672,37 @@ fail:
|
|
|
ced1f5 |
return NULL;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
-static struct tevent_req *auth_get_server(struct tevent_req *req)
|
|
|
ced1f5 |
+static struct tevent_req *auth_connect_send(struct tevent_req *req)
|
|
|
ced1f5 |
{
|
|
|
ced1f5 |
- struct tevent_req *next_req;
|
|
|
ced1f5 |
+ struct tevent_req *subreq;
|
|
|
ced1f5 |
struct auth_state *state = tevent_req_data(req,
|
|
|
ced1f5 |
struct auth_state);
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- /* NOTE: this call may cause service->uri to be refreshed
|
|
|
ced1f5 |
- * with a new valid server. Do not use service->uri before */
|
|
|
ced1f5 |
- next_req = be_resolve_server_send(state,
|
|
|
ced1f5 |
- state->ev,
|
|
|
ced1f5 |
- state->ctx->be,
|
|
|
ced1f5 |
- state->sdap_service->name,
|
|
|
ced1f5 |
- state->srv == NULL ? true : false);
|
|
|
ced1f5 |
- if (!next_req) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_CRIT_FAILURE, "be_resolve_server_send failed.\n");
|
|
|
ced1f5 |
- return NULL;
|
|
|
ced1f5 |
- }
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- tevent_req_set_callback(next_req, auth_resolve_done, req);
|
|
|
ced1f5 |
- return next_req;
|
|
|
ced1f5 |
-}
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
-static void auth_resolve_done(struct tevent_req *subreq)
|
|
|
ced1f5 |
-{
|
|
|
ced1f5 |
- struct tevent_req *req = tevent_req_callback_data(subreq,
|
|
|
ced1f5 |
- struct tevent_req);
|
|
|
ced1f5 |
- struct auth_state *state = tevent_req_data(req,
|
|
|
ced1f5 |
- struct auth_state);
|
|
|
ced1f5 |
- int ret;
|
|
|
ced1f5 |
bool use_tls;
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- ret = be_resolve_server_recv(subreq, state, &state->srv);
|
|
|
ced1f5 |
- talloc_zfree(subreq);
|
|
|
ced1f5 |
- if (ret) {
|
|
|
ced1f5 |
- /* all servers have been tried and none
|
|
|
ced1f5 |
- * was found good, go offline */
|
|
|
ced1f5 |
- tevent_req_error(req, ETIMEDOUT);
|
|
|
ced1f5 |
- return;
|
|
|
ced1f5 |
+ /* Check for undocumented debugging feature to disable TLS
|
|
|
ced1f5 |
+ * for authentication. This should never be used in production
|
|
|
ced1f5 |
+ * for obvious reasons.
|
|
|
ced1f5 |
+ */
|
|
|
ced1f5 |
+ use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
|
|
|
ced1f5 |
+ if (!use_tls) {
|
|
|
ced1f5 |
+ sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
|
|
|
ced1f5 |
+ "insecure connection. This should be done "
|
|
|
ced1f5 |
+ "for debugging purposes only.");
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- /* Determine whether we need to use TLS */
|
|
|
ced1f5 |
- if (sdap_is_secure_uri(state->ctx->service->uri)) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
|
ced1f5 |
- "[%s] is a secure channel. No need to run START_TLS\n",
|
|
|
ced1f5 |
- state->ctx->service->uri);
|
|
|
ced1f5 |
- use_tls = false;
|
|
|
ced1f5 |
- } else {
|
|
|
ced1f5 |
+ subreq = sdap_cli_connect_send(state, state->ev, state->ctx->opts,
|
|
|
ced1f5 |
+ state->ctx->be,
|
|
|
ced1f5 |
+ state->sdap_service, false,
|
|
|
ced1f5 |
+ use_tls ? CON_TLS_ON : CON_TLS_OFF, false);
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- /* Check for undocumented debugging feature to disable TLS
|
|
|
ced1f5 |
- * for authentication. This should never be used in production
|
|
|
ced1f5 |
- * for obvious reasons.
|
|
|
ced1f5 |
- */
|
|
|
ced1f5 |
- use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
|
|
|
ced1f5 |
- if (!use_tls) {
|
|
|
ced1f5 |
- sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
|
|
|
ced1f5 |
- "insecure connection. This should be done "
|
|
|
ced1f5 |
- "for debugging purposes only.");
|
|
|
ced1f5 |
- }
|
|
|
ced1f5 |
- }
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
|
|
|
ced1f5 |
- state->sdap_service->uri,
|
|
|
ced1f5 |
- state->sdap_service->sockaddr, use_tls);
|
|
|
ced1f5 |
- if (!subreq) {
|
|
|
ced1f5 |
+ if (subreq == NULL) {
|
|
|
ced1f5 |
tevent_req_error(req, ENOMEM);
|
|
|
ced1f5 |
- return;
|
|
|
ced1f5 |
+ return NULL;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
tevent_req_set_callback(subreq, auth_connect_done, req);
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ return subreq;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
static void auth_connect_done(struct tevent_req *subreq)
|
|
|
ced1f5 |
@@ -755,35 +713,13 @@ static void auth_connect_done(struct tevent_req *subreq)
|
|
|
ced1f5 |
struct auth_state);
|
|
|
ced1f5 |
int ret;
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- ret = sdap_connect_recv(subreq, state, &state->sh);
|
|
|
ced1f5 |
+ ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL);
|
|
|
ced1f5 |
talloc_zfree(subreq);
|
|
|
ced1f5 |
- if (ret) {
|
|
|
ced1f5 |
- if (state->srv) {
|
|
|
ced1f5 |
- /* mark this server as bad if connection failed */
|
|
|
ced1f5 |
- be_fo_set_port_status(state->ctx->be,
|
|
|
ced1f5 |
- state->sdap_service->name,
|
|
|
ced1f5 |
- state->srv, PORT_NOT_WORKING);
|
|
|
ced1f5 |
- }
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- if (auth_get_server(req) == NULL) {
|
|
|
ced1f5 |
+ if (ret != EOK) {
|
|
|
ced1f5 |
+ if (auth_connect_send(req) == NULL) {
|
|
|
ced1f5 |
tevent_req_error(req, ENOMEM);
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
return;
|
|
|
ced1f5 |
- } else if (state->srv) {
|
|
|
ced1f5 |
- be_fo_set_port_status(state->ctx->be, state->sdap_service->name,
|
|
|
ced1f5 |
- state->srv, PORT_WORKING);
|
|
|
ced1f5 |
- }
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- /* In case the ID provider is set to proxy, this might be the first
|
|
|
ced1f5 |
- * LDAP operation at all, so we need to set the connection status
|
|
|
ced1f5 |
- */
|
|
|
ced1f5 |
- if (state->sh->connected == false) {
|
|
|
ced1f5 |
- ret = sdap_set_connected(state->sh, state->ev);
|
|
|
ced1f5 |
- if (ret) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "Cannot set connected status\n");
|
|
|
ced1f5 |
- tevent_req_error(req, ret);
|
|
|
ced1f5 |
- return;
|
|
|
ced1f5 |
- }
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
ret = get_user_dn(state, state->ctx->be->domain,
|
|
|
ced1f5 |
@@ -870,7 +806,7 @@ static void auth_bind_user_done(struct tevent_req *subreq)
|
|
|
ced1f5 |
break;
|
|
|
ced1f5 |
case ETIMEDOUT:
|
|
|
ced1f5 |
case ERR_NETWORK_IO:
|
|
|
ced1f5 |
- if (auth_get_server(req) == NULL) {
|
|
|
ced1f5 |
+ if (auth_connect_send(req) == NULL) {
|
|
|
ced1f5 |
tevent_req_error(req, ENOMEM);
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
return;
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.13.5
|
|
|
ced1f5 |
|