|
 |
8d3578 |
From b2aca1f7d7aa4a11f86d977ad00481aeb1f9a436 Mon Sep 17 00:00:00 2001
|
|
|
8d3578 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
8d3578 |
Date: Thu, 26 Sep 2019 20:27:09 +0200
|
|
|
8d3578 |
Subject: [PATCH 107/109] ad: add ad_use_ldaps
|
|
|
8d3578 |
MIME-Version: 1.0
|
|
|
8d3578 |
Content-Type: text/plain; charset=UTF-8
|
|
|
8d3578 |
Content-Transfer-Encoding: 8bit
|
|
|
8d3578 |
|
|
|
8d3578 |
With this new boolean option the AD provider should only use the LDAPS
|
|
|
8d3578 |
port 636 and the Global Catalog port 3629 which is TLS protected as
|
|
|
8d3578 |
well.
|
|
|
8d3578 |
|
|
|
8d3578 |
Related to https://pagure.io/SSSD/sssd/issue/4131
|
|
|
8d3578 |
|
|
|
8d3578 |
(cherry picked from commit 33c8757087b8649926e53cf494e2a775ad100302)
|
|
|
8d3578 |
|
|
|
8d3578 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
8d3578 |
---
|
|
|
8d3578 |
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
|
8d3578 |
src/config/cfg_rules.ini | 1 +
|
|
|
8d3578 |
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
|
|
|
8d3578 |
src/man/sssd-ad.5.xml | 20 +++++++++++++++++++
|
|
|
8d3578 |
src/providers/ad/ad_common.c | 24 +++++++++++++++++++----
|
|
|
8d3578 |
src/providers/ad/ad_common.h | 8 +++++++-
|
|
|
8d3578 |
src/providers/ad/ad_init.c | 8 +++++++-
|
|
|
8d3578 |
src/providers/ad/ad_opts.c | 1 +
|
|
|
8d3578 |
src/providers/ad/ad_srv.c | 16 ++++++++++++---
|
|
|
8d3578 |
src/providers/ad/ad_srv.h | 3 ++-
|
|
|
8d3578 |
src/providers/ad/ad_subdomains.c | 21 ++++++++++++++++++--
|
|
|
8d3578 |
src/providers/ipa/ipa_subdomains_server.c | 4 ++--
|
|
|
8d3578 |
12 files changed, 94 insertions(+), 14 deletions(-)
|
|
|
8d3578 |
|
|
|
8d3578 |
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
|
8d3578 |
index a7de476a1..00e588f1c 100644
|
|
|
8d3578 |
--- a/src/config/SSSDConfig/__init__.py.in
|
|
|
8d3578 |
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
|
8d3578 |
@@ -247,6 +247,7 @@ option_strings = {
|
|
|
8d3578 |
'ad_site' : _('a particular site to be used by the client'),
|
|
|
8d3578 |
'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
|
|
|
8d3578 |
'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
|
|
|
8d3578 |
+ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
|
|
|
8d3578 |
|
|
|
8d3578 |
# [provider/krb5]
|
|
|
8d3578 |
'krb5_kdcip' : _('Kerberos server address'),
|
|
|
8d3578 |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
8d3578 |
index 3976ec4e1..c3d8bd88f 100644
|
|
|
8d3578 |
--- a/src/config/cfg_rules.ini
|
|
|
8d3578 |
+++ b/src/config/cfg_rules.ini
|
|
|
8d3578 |
@@ -454,6 +454,7 @@ option = ad_machine_account_password_renewal_opts
|
|
|
8d3578 |
option = ad_maximum_machine_account_password_age
|
|
|
8d3578 |
option = ad_server
|
|
|
8d3578 |
option = ad_site
|
|
|
8d3578 |
+option = ad_use_ldaps
|
|
|
8d3578 |
|
|
|
8d3578 |
# IPA provider specific options
|
|
|
8d3578 |
option = ipa_anchor_uuid
|
|
|
8d3578 |
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
8d3578 |
index e3c8140b8..48522437f 100644
|
|
|
8d3578 |
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
8d3578 |
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
8d3578 |
@@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false
|
|
|
8d3578 |
ad_site = str, None, false
|
|
|
8d3578 |
ad_maximum_machine_account_password_age = int, None, false
|
|
|
8d3578 |
ad_machine_account_password_renewal_opts = str, None, false
|
|
|
8d3578 |
+ad_use_ldaps = bool, None, false
|
|
|
8d3578 |
ldap_uri = str, None, false
|
|
|
8d3578 |
ldap_backup_uri = str, None, false
|
|
|
8d3578 |
ldap_search_base = str, None, false
|
|
|
8d3578 |
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
|
|
8d3578 |
index b14f07f7f..9e9e52eb3 100644
|
|
|
8d3578 |
--- a/src/man/sssd-ad.5.xml
|
|
|
8d3578 |
+++ b/src/man/sssd-ad.5.xml
|
|
|
8d3578 |
@@ -903,6 +903,26 @@ ad_gpo_map_deny = +my_pam_service
|
|
|
8d3578 |
</listitem>
|
|
|
8d3578 |
</varlistentry>
|
|
|
8d3578 |
|
|
|
8d3578 |
+ <varlistentry>
|
|
|
8d3578 |
+ <term>ad_use_ldaps (bool)</term>
|
|
|
8d3578 |
+ <listitem>
|
|
|
8d3578 |
+ <para>
|
|
|
8d3578 |
+ By default SSSD uses the plain LDAP port 389 and the
|
|
|
8d3578 |
+ Global Catalog port 3628. If this option is set to
|
|
|
8d3578 |
+ True SSSD will use the LDAPS port 636 and Global
|
|
|
8d3578 |
+ Catalog port 3629 with LDAPS protection. Since AD
|
|
|
8d3578 |
+ does not allow to have multiple encryption layers on
|
|
|
8d3578 |
+ a single connection and we still want to use
|
|
|
8d3578 |
+ SASL/GSSAPI or SASL/GSS-SPNEGO for authentication
|
|
|
8d3578 |
+ the SASL security property maxssf is set to 0 (zero)
|
|
|
8d3578 |
+ for those connections.
|
|
|
8d3578 |
+ </para>
|
|
|
8d3578 |
+ <para>
|
|
|
8d3578 |
+ Default: False
|
|
|
8d3578 |
+ </para>
|
|
|
8d3578 |
+ </listitem>
|
|
|
8d3578 |
+ </varlistentry>
|
|
|
8d3578 |
+
|
|
|
8d3578 |
<varlistentry>
|
|
|
8d3578 |
<term>dyndns_update (boolean)</term>
|
|
|
8d3578 |
<listitem>
|
|
|
8d3578 |
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
|
|
8d3578 |
index ca4d0665d..de8a0c8bb 100644
|
|
|
8d3578 |
--- a/src/providers/ad/ad_common.c
|
|
|
8d3578 |
+++ b/src/providers/ad/ad_common.c
|
|
|
8d3578 |
@@ -729,6 +729,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
|
|
|
8d3578 |
const char *ad_gc_service,
|
|
|
8d3578 |
const char *ad_domain,
|
|
|
8d3578 |
bool use_kdcinfo,
|
|
|
8d3578 |
+ bool ad_use_ldaps,
|
|
|
8d3578 |
size_t n_lookahead_primary,
|
|
|
8d3578 |
size_t n_lookahead_backup,
|
|
|
8d3578 |
struct ad_service **_service)
|
|
|
8d3578 |
@@ -746,6 +747,16 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
|
|
|
8d3578 |
goto done;
|
|
|
8d3578 |
}
|
|
|
8d3578 |
|
|
|
8d3578 |
+ if (ad_use_ldaps) {
|
|
|
8d3578 |
+ service->ldap_scheme = "ldaps";
|
|
|
8d3578 |
+ service->port = LDAPS_PORT;
|
|
|
8d3578 |
+ service->gc_port = AD_GC_LDAPS_PORT;
|
|
|
8d3578 |
+ } else {
|
|
|
8d3578 |
+ service->ldap_scheme = "ldap";
|
|
|
8d3578 |
+ service->port = LDAP_PORT;
|
|
|
8d3578 |
+ service->gc_port = AD_GC_PORT;
|
|
|
8d3578 |
+ }
|
|
|
8d3578 |
+
|
|
|
8d3578 |
service->sdap = talloc_zero(service, struct sdap_service);
|
|
|
8d3578 |
service->gc = talloc_zero(service, struct sdap_service);
|
|
|
8d3578 |
if (!service->sdap || !service->gc) {
|
|
|
8d3578 |
@@ -914,7 +925,8 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
|
|
8d3578 |
goto done;
|
|
|
8d3578 |
}
|
|
|
8d3578 |
|
|
|
8d3578 |
- new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);
|
|
|
8d3578 |
+ new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme,
|
|
|
8d3578 |
+ srv_name);
|
|
|
8d3578 |
if (!new_uri) {
|
|
|
8d3578 |
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");
|
|
|
8d3578 |
ret = ENOMEM;
|
|
|
8d3578 |
@@ -922,7 +934,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
|
|
8d3578 |
}
|
|
|
8d3578 |
DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);
|
|
|
8d3578 |
|
|
|
8d3578 |
- sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
|
|
|
8d3578 |
+ sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port);
|
|
|
8d3578 |
if (sockaddr == NULL) {
|
|
|
8d3578 |
DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
|
|
|
8d3578 |
ret = EIO;
|
|
|
8d3578 |
@@ -938,8 +950,12 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
|
|
8d3578 |
talloc_zfree(service->gc->uri);
|
|
|
8d3578 |
talloc_zfree(service->gc->sockaddr);
|
|
|
8d3578 |
if (sdata && sdata->gc) {
|
|
|
8d3578 |
- new_port = fo_get_server_port(server);
|
|
|
8d3578 |
- new_port = (new_port == 0) ? AD_GC_PORT : new_port;
|
|
|
8d3578 |
+ if (service->gc_port == AD_GC_LDAPS_PORT) {
|
|
|
8d3578 |
+ new_port = service->gc_port;
|
|
|
8d3578 |
+ } else {
|
|
|
8d3578 |
+ new_port = fo_get_server_port(server);
|
|
|
8d3578 |
+ new_port = (new_port == 0) ? service->gc_port : new_port;
|
|
|
8d3578 |
+ }
|
|
|
8d3578 |
|
|
|
8d3578 |
service->gc->uri = talloc_asprintf(service->gc, "%s:%d",
|
|
|
8d3578 |
new_uri, new_port);
|
|
|
8d3578 |
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
|
|
8d3578 |
index 44369288e..54245b9f8 100644
|
|
|
8d3578 |
--- a/src/providers/ad/ad_common.h
|
|
|
8d3578 |
+++ b/src/providers/ad/ad_common.h
|
|
|
8d3578 |
@@ -29,7 +29,8 @@
|
|
|
8d3578 |
#define AD_SERVICE_NAME "AD"
|
|
|
8d3578 |
#define AD_GC_SERVICE_NAME "AD_GC"
|
|
|
8d3578 |
/* The port the Global Catalog runs on */
|
|
|
8d3578 |
-#define AD_GC_PORT 3268
|
|
|
8d3578 |
+#define AD_GC_PORT 3268
|
|
|
8d3578 |
+#define AD_GC_LDAPS_PORT 3269
|
|
|
8d3578 |
|
|
|
8d3578 |
#define AD_AT_OBJECT_SID "objectSID"
|
|
|
8d3578 |
#define AD_AT_DNS_DOMAIN "DnsDomain"
|
|
|
8d3578 |
@@ -67,6 +68,7 @@ enum ad_basic_opt {
|
|
|
8d3578 |
AD_KRB5_CONFD_PATH,
|
|
|
8d3578 |
AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
|
|
|
8d3578 |
AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
|
|
|
8d3578 |
+ AD_USE_LDAPS,
|
|
|
8d3578 |
|
|
|
8d3578 |
AD_OPTS_BASIC /* opts counter */
|
|
|
8d3578 |
};
|
|
|
8d3578 |
@@ -82,6 +84,9 @@ struct ad_service {
|
|
|
8d3578 |
struct sdap_service *sdap;
|
|
|
8d3578 |
struct sdap_service *gc;
|
|
|
8d3578 |
struct krb5_service *krb5_service;
|
|
|
8d3578 |
+ const char *ldap_scheme;
|
|
|
8d3578 |
+ int port;
|
|
|
8d3578 |
+ int gc_port;
|
|
|
8d3578 |
};
|
|
|
8d3578 |
|
|
|
8d3578 |
struct ad_options {
|
|
|
8d3578 |
@@ -147,6 +152,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx,
|
|
|
8d3578 |
const char *ad_gc_service,
|
|
|
8d3578 |
const char *ad_domain,
|
|
|
8d3578 |
bool use_kdcinfo,
|
|
|
8d3578 |
+ bool ad_use_ldaps,
|
|
|
8d3578 |
size_t n_lookahead_primary,
|
|
|
8d3578 |
size_t n_lookahead_backup,
|
|
|
8d3578 |
struct ad_service **_service);
|
|
|
8d3578 |
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
|
|
|
8d3578 |
index f5aea8904..09397852b 100644
|
|
|
8d3578 |
--- a/src/providers/ad/ad_init.c
|
|
|
8d3578 |
+++ b/src/providers/ad/ad_init.c
|
|
|
8d3578 |
@@ -138,6 +138,7 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
|
|
|
8d3578 |
char *ad_servers = NULL;
|
|
|
8d3578 |
char *ad_backup_servers = NULL;
|
|
|
8d3578 |
char *ad_realm;
|
|
|
8d3578 |
+ bool ad_use_ldaps = false;
|
|
|
8d3578 |
errno_t ret;
|
|
|
8d3578 |
|
|
|
8d3578 |
ad_sasl_initialize();
|
|
|
8d3578 |
@@ -154,12 +155,14 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
|
|
|
8d3578 |
ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
|
|
|
8d3578 |
ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
|
|
|
8d3578 |
ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
|
|
|
8d3578 |
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
|
|
8d3578 |
|
|
|
8d3578 |
/* Set up the failover service */
|
|
|
8d3578 |
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
|
|
|
8d3578 |
ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
|
|
|
8d3578 |
dp_opt_get_string(ad_options->basic, AD_DOMAIN),
|
|
|
8d3578 |
false, /* will be set in ad_get_auth_options() */
|
|
|
8d3578 |
+ ad_use_ldaps,
|
|
|
8d3578 |
(size_t) -1,
|
|
|
8d3578 |
(size_t) -1,
|
|
|
8d3578 |
&ad_options->service);
|
|
|
8d3578 |
@@ -184,11 +187,13 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
|
|
|
8d3578 |
const char *ad_site_override;
|
|
|
8d3578 |
bool sites_enabled;
|
|
|
8d3578 |
errno_t ret;
|
|
|
8d3578 |
+ bool ad_use_ldaps;
|
|
|
8d3578 |
|
|
|
8d3578 |
hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
|
|
|
8d3578 |
ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
|
|
|
8d3578 |
ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
|
|
|
8d3578 |
sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);
|
|
|
8d3578 |
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
|
|
8d3578 |
|
|
|
8d3578 |
|
|
|
8d3578 |
if (!sites_enabled) {
|
|
|
8d3578 |
@@ -205,7 +210,8 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
|
|
|
8d3578 |
srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
|
|
|
8d3578 |
default_host_dbs, ad_options->id,
|
|
|
8d3578 |
hostname, ad_domain,
|
|
|
8d3578 |
- ad_site_override);
|
|
|
8d3578 |
+ ad_site_override,
|
|
|
8d3578 |
+ ad_use_ldaps);
|
|
|
8d3578 |
if (srv_ctx == NULL) {
|
|
|
8d3578 |
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
|
|
8d3578 |
return ENOMEM;
|
|
|
8d3578 |
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
|
|
8d3578 |
index 9bd705445..cd898cbd2 100644
|
|
|
8d3578 |
--- a/src/providers/ad/ad_opts.c
|
|
|
8d3578 |
+++ b/src/providers/ad/ad_opts.c
|
|
|
8d3578 |
@@ -54,6 +54,7 @@ struct dp_option ad_basic_opts[] = {
|
|
|
8d3578 |
{ "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
|
|
|
8d3578 |
{ "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
|
|
|
8d3578 |
{ "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
|
|
|
8d3578 |
+ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
|
8d3578 |
DP_OPTION_TERMINATOR
|
|
|
8d3578 |
};
|
|
|
8d3578 |
|
|
|
8d3578 |
diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c
|
|
|
8d3578 |
index 5fd25f60e..ca15d3715 100644
|
|
|
8d3578 |
--- a/src/providers/ad/ad_srv.c
|
|
|
8d3578 |
+++ b/src/providers/ad/ad_srv.c
|
|
|
8d3578 |
@@ -244,6 +244,7 @@ struct ad_get_client_site_state {
|
|
|
8d3578 |
enum host_database *host_db;
|
|
|
8d3578 |
struct sdap_options *opts;
|
|
|
8d3578 |
const char *ad_domain;
|
|
|
8d3578 |
+ bool ad_use_ldaps;
|
|
|
8d3578 |
struct fo_server_info *dcs;
|
|
|
8d3578 |
size_t num_dcs;
|
|
|
8d3578 |
size_t dc_index;
|
|
|
8d3578 |
@@ -264,6 +265,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
|
|
|
8d3578 |
enum host_database *host_db,
|
|
|
8d3578 |
struct sdap_options *opts,
|
|
|
8d3578 |
const char *ad_domain,
|
|
|
8d3578 |
+ bool ad_use_ldaps,
|
|
|
8d3578 |
struct fo_server_info *dcs,
|
|
|
8d3578 |
size_t num_dcs)
|
|
|
8d3578 |
{
|
|
|
8d3578 |
@@ -288,6 +290,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
|
|
|
8d3578 |
state->host_db = host_db;
|
|
|
8d3578 |
state->opts = opts;
|
|
|
8d3578 |
state->ad_domain = ad_domain;
|
|
|
8d3578 |
+ state->ad_use_ldaps = ad_use_ldaps;
|
|
|
8d3578 |
state->dcs = dcs;
|
|
|
8d3578 |
state->num_dcs = num_dcs;
|
|
|
8d3578 |
|
|
|
8d3578 |
@@ -331,8 +334,11 @@ static errno_t ad_get_client_site_next_dc(struct tevent_req *req)
|
|
|
8d3578 |
subreq = sdap_connect_host_send(state, state->ev, state->opts,
|
|
|
8d3578 |
state->be_res->resolv,
|
|
|
8d3578 |
state->be_res->family_order,
|
|
|
8d3578 |
- state->host_db, "ldap", state->dc.host,
|
|
|
8d3578 |
- state->dc.port, false);
|
|
|
8d3578 |
+ state->host_db,
|
|
|
8d3578 |
+ state->ad_use_ldaps ? "ldaps" : "ldap",
|
|
|
8d3578 |
+ state->dc.host,
|
|
|
8d3578 |
+ state->ad_use_ldaps ? 636 : state->dc.port,
|
|
|
8d3578 |
+ false);
|
|
|
8d3578 |
if (subreq == NULL) {
|
|
|
8d3578 |
ret = ENOMEM;
|
|
|
8d3578 |
goto done;
|
|
|
8d3578 |
@@ -491,6 +497,7 @@ struct ad_srv_plugin_ctx {
|
|
|
8d3578 |
const char *ad_domain;
|
|
|
8d3578 |
const char *ad_site_override;
|
|
|
8d3578 |
const char *current_site;
|
|
|
8d3578 |
+ bool ad_use_ldaps;
|
|
|
8d3578 |
};
|
|
|
8d3578 |
|
|
|
8d3578 |
struct ad_srv_plugin_ctx *
|
|
|
8d3578 |
@@ -501,7 +508,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
|
|
8d3578 |
struct sdap_options *opts,
|
|
|
8d3578 |
const char *hostname,
|
|
|
8d3578 |
const char *ad_domain,
|
|
|
8d3578 |
- const char *ad_site_override)
|
|
|
8d3578 |
+ const char *ad_site_override,
|
|
|
8d3578 |
+ bool ad_use_ldaps)
|
|
|
8d3578 |
{
|
|
|
8d3578 |
struct ad_srv_plugin_ctx *ctx = NULL;
|
|
|
8d3578 |
errno_t ret;
|
|
|
8d3578 |
@@ -515,6 +523,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
|
|
8d3578 |
ctx->be_res = be_res;
|
|
|
8d3578 |
ctx->host_dbs = host_dbs;
|
|
|
8d3578 |
ctx->opts = opts;
|
|
|
8d3578 |
+ ctx->ad_use_ldaps = ad_use_ldaps;
|
|
|
8d3578 |
|
|
|
8d3578 |
ctx->hostname = talloc_strdup(ctx, hostname);
|
|
|
8d3578 |
if (ctx->hostname == NULL) {
|
|
|
8d3578 |
@@ -714,6 +723,7 @@ static void ad_srv_plugin_dcs_done(struct tevent_req *subreq)
|
|
|
8d3578 |
state->ctx->host_dbs,
|
|
|
8d3578 |
state->ctx->opts,
|
|
|
8d3578 |
state->discovery_domain,
|
|
|
8d3578 |
+ state->ctx->ad_use_ldaps,
|
|
|
8d3578 |
dcs, num_dcs);
|
|
|
8d3578 |
if (subreq == NULL) {
|
|
|
8d3578 |
ret = ENOMEM;
|
|
|
8d3578 |
diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h
|
|
|
8d3578 |
index e553d594d..8e410ec26 100644
|
|
|
8d3578 |
--- a/src/providers/ad/ad_srv.h
|
|
|
8d3578 |
+++ b/src/providers/ad/ad_srv.h
|
|
|
8d3578 |
@@ -31,7 +31,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
|
|
8d3578 |
struct sdap_options *opts,
|
|
|
8d3578 |
const char *hostname,
|
|
|
8d3578 |
const char *ad_domain,
|
|
|
8d3578 |
- const char *ad_site_override);
|
|
|
8d3578 |
+ const char *ad_site_override,
|
|
|
8d3578 |
+ bool ad_use_ldaps);
|
|
|
8d3578 |
|
|
|
8d3578 |
struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,
|
|
|
8d3578 |
struct tevent_context *ev,
|
|
|
8d3578 |
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
|
8d3578 |
index f0b5d59d2..bc10da5bc 100644
|
|
|
8d3578 |
--- a/src/providers/ad/ad_subdomains.c
|
|
|
8d3578 |
+++ b/src/providers/ad/ad_subdomains.c
|
|
|
8d3578 |
@@ -282,6 +282,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
8d3578 |
bool use_kdcinfo = false;
|
|
|
8d3578 |
size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT;
|
|
|
8d3578 |
size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT;
|
|
|
8d3578 |
+ bool ad_use_ldaps = false;
|
|
|
8d3578 |
|
|
|
8d3578 |
realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
|
|
|
8d3578 |
hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
|
|
|
8d3578 |
@@ -312,6 +313,21 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
8d3578 |
return ENOMEM;
|
|
|
8d3578 |
}
|
|
|
8d3578 |
|
|
|
8d3578 |
+ ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic,
|
|
|
8d3578 |
+ ad_options->basic,
|
|
|
8d3578 |
+ be_ctx->cdb, subdom_conf_path,
|
|
|
8d3578 |
+ AD_USE_LDAPS);
|
|
|
8d3578 |
+ if (ret != EOK) {
|
|
|
8d3578 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
8d3578 |
+ "Failed to inherit option [%s] to sub-domain [%s]. "
|
|
|
8d3578 |
+ "This error is ignored but might cause issues or unexpected "
|
|
|
8d3578 |
+ "behavior later on.\n",
|
|
|
8d3578 |
+ id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name,
|
|
|
8d3578 |
+ subdom->name);
|
|
|
8d3578 |
+
|
|
|
8d3578 |
+ return ret;
|
|
|
8d3578 |
+ }
|
|
|
8d3578 |
+
|
|
|
8d3578 |
ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
|
|
|
8d3578 |
ad_options->id->basic,
|
|
|
8d3578 |
be_ctx->cdb, subdom_conf_path,
|
|
|
8d3578 |
@@ -344,6 +360,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
8d3578 |
|
|
|
8d3578 |
servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
|
|
|
8d3578 |
backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
|
|
|
8d3578 |
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
|
|
8d3578 |
|
|
|
8d3578 |
if (id_ctx->ad_options->auth_ctx != NULL
|
|
|
8d3578 |
&& id_ctx->ad_options->auth_ctx->opts != NULL) {
|
|
|
8d3578 |
@@ -362,7 +379,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
8d3578 |
|
|
|
8d3578 |
ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers,
|
|
|
8d3578 |
subdom->realm, service_name, gc_service_name,
|
|
|
8d3578 |
- subdom->name, use_kdcinfo,
|
|
|
8d3578 |
+ subdom->name, use_kdcinfo, ad_use_ldaps,
|
|
|
8d3578 |
n_lookahead_primary,
|
|
|
8d3578 |
n_lookahead_backup,
|
|
|
8d3578 |
&ad_options->service);
|
|
|
8d3578 |
@@ -386,7 +403,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
8d3578 |
ad_id_ctx->ad_options->id,
|
|
|
8d3578 |
hostname,
|
|
|
8d3578 |
ad_domain,
|
|
|
8d3578 |
- ad_site_override);
|
|
|
8d3578 |
+ ad_site_override, ad_use_ldaps);
|
|
|
8d3578 |
if (srv_ctx == NULL) {
|
|
|
8d3578 |
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
|
|
8d3578 |
return ENOMEM;
|
|
|
8d3578 |
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
8d3578 |
index d0e89a4f9..e2037b59d 100644
|
|
|
8d3578 |
--- a/src/providers/ipa/ipa_subdomains_server.c
|
|
|
8d3578 |
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
8d3578 |
@@ -319,7 +319,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
8d3578 |
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
|
|
|
8d3578 |
subdom->realm,
|
|
|
8d3578 |
service_name, gc_service_name,
|
|
|
8d3578 |
- subdom->name, use_kdcinfo,
|
|
|
8d3578 |
+ subdom->name, use_kdcinfo, false,
|
|
|
8d3578 |
n_lookahead_primary, n_lookahead_backup,
|
|
|
8d3578 |
&ad_options->service);
|
|
|
8d3578 |
if (ret != EOK) {
|
|
|
8d3578 |
@@ -344,7 +344,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
8d3578 |
ad_id_ctx->ad_options->id,
|
|
|
8d3578 |
id_ctx->server_mode->hostname,
|
|
|
8d3578 |
ad_domain,
|
|
|
8d3578 |
- ad_site_override);
|
|
|
8d3578 |
+ ad_site_override, false);
|
|
|
8d3578 |
if (srv_ctx == NULL) {
|
|
|
8d3578 |
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
|
|
8d3578 |
return ENOMEM;
|
|
|
8d3578 |
--
|
|
|
8d3578 |
2.20.1
|
|
|
8d3578 |
|