|
|
71e593 |
From 6f113c7ddeaa5c82558e10118b499d22bf7a2b14 Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
71e593 |
Date: Mon, 26 Nov 2018 12:38:40 +0100
|
|
|
71e593 |
Subject: [PATCH 80/80] LDAP: Log the encryption used during LDAP
|
|
|
71e593 |
authentication
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
71e593 |
---
|
|
|
71e593 |
src/providers/ldap/ldap_auth.c | 27 +++++++++++++++++++++++++++
|
|
|
71e593 |
1 file changed, 27 insertions(+)
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
|
|
71e593 |
index b4d045a65..4666dbfbb 100644
|
|
|
71e593 |
--- a/src/providers/ldap/ldap_auth.c
|
|
|
71e593 |
+++ b/src/providers/ldap/ldap_auth.c
|
|
|
71e593 |
@@ -747,6 +747,31 @@ static struct tevent_req *auth_connect_send(struct tevent_req *req)
|
|
|
71e593 |
return subreq;
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
+static void check_encryption(LDAP *ldap)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ ber_len_t sasl_ssf = 0;
|
|
|
71e593 |
+ int tls_inplace = 0;
|
|
|
71e593 |
+ int ret;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = ldap_get_option(ldap, LDAP_OPT_X_SASL_SSF, &sasl_ssf);
|
|
|
71e593 |
+ if (ret != LDAP_SUCCESS) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_LIBS, "ldap_get_option failed to get sasl ssf, "
|
|
|
71e593 |
+ "assuming SASL is not used.\n");
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ tls_inplace = ldap_tls_inplace(ldap);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
|
71e593 |
+ "Encryption used: SASL SSF [%lu] tls_inplace [%s].\n", sasl_ssf,
|
|
|
71e593 |
+ tls_inplace == 1 ? "TLS inplace" : "TLS NOT inplace");
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (sasl_ssf <= 1 && tls_inplace != 1) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
71e593 |
+ "No encryption detected on LDAP connection.\n");
|
|
|
71e593 |
+ sss_log(SSS_LOG_CRIT, "No encryption detected on LDAP connection.\n");
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+}
|
|
|
71e593 |
+
|
|
|
71e593 |
static void auth_connect_done(struct tevent_req *subreq)
|
|
|
71e593 |
{
|
|
|
71e593 |
struct tevent_req *req = tevent_req_callback_data(subreq,
|
|
|
71e593 |
@@ -776,6 +801,8 @@ static void auth_connect_done(struct tevent_req *subreq)
|
|
|
71e593 |
return;
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
+ check_encryption(state->sh->ldap);
|
|
|
71e593 |
+
|
|
|
71e593 |
if (state->dn == NULL) {
|
|
|
71e593 |
/* The cached user entry was missing the bind DN. Need to look
|
|
|
71e593 |
* it up based on user name in order to perform the bind */
|
|
|
71e593 |
--
|
|
|
71e593 |
2.19.1
|
|
|
71e593 |
|