rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0054-LDAP-Log-the-encryption-used-during-LDAP-authenticat.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   0d602d36847336304a90b4e47bd50f0dbf4e68a8
  2.   SOURCES
  3.   0054-LDAP-Log-the-encryption-used-during-LDAP-authenticat.patch
Blob History Raw
0d602d 
From 1a7c6ab6efce3720d27def426aad49ee99eb339d Mon Sep 17 00:00:00 2001
0d602d 
From: Sumit Bose <sbose@redhat.com>
0d602d 
Date: Mon, 26 Nov 2018 12:38:40 +0100
0d602d 
Subject: [PATCH 54/54] LDAP: Log the encryption used during LDAP
0d602d 
 authentication
0d602d
0d602d 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
0d602d 
(cherry picked from commit 6f113c7ddeaa5c82558e10118b499d22bf7a2b14)
0d602d 
---
0d602d 
 src/providers/ldap/ldap_auth.c | 27 +++++++++++++++++++++++++++
0d602d 
 1 file changed, 27 insertions(+)
0d602d
0d602d 
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
0d602d 
index b4d045a65..4666dbfbb 100644
0d602d 
--- a/src/providers/ldap/ldap_auth.c
0d602d 
+++ b/src/providers/ldap/ldap_auth.c
0d602d 
@@ -747,6 +747,31 @@ static struct tevent_req *auth_connect_send(struct tevent_req *req)
0d602d 
     return subreq;
0d602d 
 }
0d602d
0d602d 
+static void check_encryption(LDAP *ldap)
0d602d 
+{
0d602d 
+    ber_len_t sasl_ssf = 0;
0d602d 
+    int tls_inplace = 0;
0d602d 
+    int ret;
0d602d 
+
0d602d 
+    ret = ldap_get_option(ldap, LDAP_OPT_X_SASL_SSF, &sasl_ssf);
0d602d 
+    if (ret != LDAP_SUCCESS) {
0d602d 
+        DEBUG(SSSDBG_TRACE_LIBS, "ldap_get_option failed to get sasl ssf, "
0d602d 
+                                 "assuming SASL is not used.\n");
0d602d 
+    }
0d602d 
+
0d602d 
+    tls_inplace = ldap_tls_inplace(ldap);
0d602d 
+
0d602d 
+    DEBUG(SSSDBG_TRACE_ALL,
0d602d 
+          "Encryption used: SASL SSF [%lu] tls_inplace [%s].\n", sasl_ssf,
0d602d 
+          tls_inplace == 1 ? "TLS inplace" : "TLS NOT inplace");
0d602d 
+
0d602d 
+    if (sasl_ssf <= 1 && tls_inplace != 1) {
0d602d 
+        DEBUG(SSSDBG_CRIT_FAILURE,
0d602d 
+                "No encryption detected on LDAP connection.\n");
0d602d 
+        sss_log(SSS_LOG_CRIT, "No encryption detected on LDAP connection.\n");
0d602d 
+    }
0d602d 
+}
0d602d 
+
0d602d 
 static void auth_connect_done(struct tevent_req *subreq)
0d602d 
 {
0d602d 
     struct tevent_req *req = tevent_req_callback_data(subreq,
0d602d 
@@ -776,6 +801,8 @@ static void auth_connect_done(struct tevent_req *subreq)
0d602d 
         return;
0d602d 
     }
0d602d
0d602d 
+    check_encryption(state->sh->ldap);
0d602d 
+
0d602d 
     if (state->dn == NULL) {
0d602d 
         /* The cached user entry was missing the bind DN. Need to look
0d602d 
          * it up based on user name in order to perform the bind */
0d602d 
--
0d602d 
2.19.1
0d602d

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation