adcli/SOURCES/0002-add-option-use-ldaps.patch

From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 19 Dec 2019 07:22:33 +0100
Subject: [PATCH 2/2] add option use-ldaps

In general using the LDAP port with GSS-SPNEGO should satifiy all
requirements an AD DC should have for authentication on an encrypted
LDAP connection.

But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
with TLS encryption might be an alternative. For this use case the
--use-ldaps option is added.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
---
 doc/adcli.xml    | 24 +++++++++++++++
 library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------
 library/adconn.h |  4 +++
 tools/computer.c | 10 ++++++
 tools/entry.c    | 11 +++++++
 5 files changed, 119 insertions(+), 9 deletions(-)

diff --git a/doc/adcli.xml b/doc/adcli.xml
index dd30435..acced25 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -128,6 +128,30 @@
 			If not specified, then an appropriate domain controller
 			is automatically discovered.</para></listitem>
 		</varlistentry>
+		<varlistentry>
+			<term><option>--use-ldaps</option></term>
+			<listitem><para>Connect to the domain controller
+			with LDAPS. By default the LDAP port is used and SASL
+			GSS-SPNEGO or GSSAPI is used for authentication and to
+			establish encryption. This should satisfy all
+			requirements set on the server side and LDAPS should
+			only be used if the LDAP port is not accessible due to
+			firewalls or other reasons.</para>
+			<para> Please note that the place where CA certificates
+			can be found to validate the AD DC certificates
+			must be configured in the OpenLDAP configuration
+			file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
+			As an alternative it can be specified with the help of
+			an environment variable, e.g.
+<programlisting>
+$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
+...
+</programlisting>
+			Please see
+			<citerefentry><refentrytitle>ldap.conf</refentrytitle>
+			<manvolnum>5</manvolnum></citerefentry> for details.
+			</para></listitem>
+		</varlistentry>
 		<varlistentry>
 			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
 			<listitem><para>Use the specified kerberos credential
diff --git a/library/adconn.c b/library/adconn.c
index ffb54f9..7bab852 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {
 	char *domain_name;
 	char *domain_realm;
 	char *domain_controller;
+	bool use_ldaps;
 	char *canonical_host;
 	char *domain_short;
 	char *domain_sid;
@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
 
 static LDAP *
 connect_to_address (const char *host,
-                    const char *canonical_host)
+                    const char *canonical_host,
+                    bool use_ldaps)
 {
 	struct addrinfo *res = NULL;
 	struct addrinfo *ai;
@@ -783,6 +785,16 @@ connect_to_address (const char *host,
 	char *url;
 	int sock;
 	int rc;
+	int opt_rc;
+	const char *port = "389";
+	const char *proto = "ldap";
+	const char *errmsg = NULL;
+
+	if (use_ldaps) {
+		port = "636";
+		proto = "ldaps";
+		_adcli_info ("Using LDAPS to connect to %s", host);
+	}
 
 	memset (&hints, '\0', sizeof(hints));
 #ifdef AI_ADDRCONFIG
@@ -794,7 +806,7 @@ connect_to_address (const char *host,
 	if (!canonical_host)
 		canonical_host = host;
 
-	rc = getaddrinfo (host, "389", &hints, &res);
+	rc = getaddrinfo (host, port, &hints, &res);
 	if (rc != 0) {
 		_adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));
 		return NULL;
@@ -810,7 +822,7 @@ connect_to_address (const char *host,
 			close (sock);
 		} else {
 			error = 0;
-			if (asprintf (&url, "ldap://%s", canonical_host) < 0)
+			if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)
 				return_val_if_reached (NULL);
 			rc = ldap_init_fd (sock, 1, url, &ldap);
 			free (url);
@@ -820,6 +832,25 @@ connect_to_address (const char *host,
 				            ldap_err2string (rc));
 				break;
 			}
+
+			if (use_ldaps) {
+				rc = ldap_install_tls (ldap);
+				if (rc != LDAP_SUCCESS) {
+					opt_rc = ldap_get_option (ldap,
+					                          LDAP_OPT_DIAGNOSTIC_MESSAGE,
+					                          (void *) &errmsg);
+					if (opt_rc != LDAP_SUCCESS) {
+						errmsg = NULL;
+					}
+					_adcli_err ("Couldn't initialize TLS [%s]: %s",
+					            ldap_err2string (rc),
+					            errmsg == NULL ? "- no details -"
+					                           : errmsg);
+					ldap_unbind_ext_s (ldap, NULL, NULL);
+					ldap = NULL;
+					break;
+				}
+			}
 		}
 	}
 
@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,
 	if (!canonical_host)
 		canonical_host = disco->host_addr;
 
-	ldap = connect_to_address (disco->host_addr, canonical_host);
+	ldap = connect_to_address (disco->host_addr, canonical_host,
+	                           adcli_conn_get_use_ldaps (conn));
 	if (ldap == NULL)
 		return ADCLI_ERR_DIRECTORY;
 
@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)
 	status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);
 	return_unexpected_if_fail (status == 0);
 
-	/* Clumsily tell ldap + cyrus-sasl that we want encryption */
-	ssf = 1;
-	ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
-	return_unexpected_if_fail (ret == 0);
+	if (adcli_conn_get_use_ldaps (conn)) {
+		/* do not use SASL encryption on LDAPS connection */
+		ssf = 0;
+		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+		return_unexpected_if_fail (ret == 0);
+		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf);
+		return_unexpected_if_fail (ret == 0);
+	} else {
+		/* Clumsily tell ldap + cyrus-sasl that we want encryption */
+		ssf = 1;
+		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+		return_unexpected_if_fail (ret == 0);
+	}
 
-	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
+	/* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
+	 * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
+	 * without LDAPS. */
+	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
+	                     && !adcli_conn_get_use_ldaps (conn)) {
 		mech =  "GSS-SPNEGO";
 	}
+	_adcli_info ("Using %s for SASL bind", mech);
 
 	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
 	                                    LDAP_SASL_QUIET, sasl_interact, NULL);
@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)
 	conn->refs = 1;
 	conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT;
 	adcli_conn_set_domain_name (conn, domain_name);
+	adcli_conn_set_use_ldaps (conn, false);
 	return conn;
 }
 
@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,
 	no_more_disco (conn);
 }
 
+bool
+adcli_conn_get_use_ldaps (adcli_conn *conn)
+{
+	return_val_if_fail (conn != NULL, NULL);
+	return conn->use_ldaps;
+}
+
+void
+adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)
+{
+	return_if_fail (conn != NULL);
+	conn->use_ldaps = value;
+}
+
 const char *
 adcli_conn_get_domain_short (adcli_conn *conn)
 {
diff --git a/library/adconn.h b/library/adconn.h
index 37ebdd9..1d5faa8 100644
--- a/library/adconn.h
+++ b/library/adconn.h
@@ -89,6 +89,10 @@ const char *        adcli_conn_get_domain_controller (adcli_conn *conn);
 void                adcli_conn_set_domain_controller (adcli_conn *conn,
                                                       const char *value);
 
+bool                adcli_conn_get_use_ldaps         (adcli_conn *conn);
+void                adcli_conn_set_use_ldaps         (adcli_conn *conn,
+                                                      bool value);
+
 const char *        adcli_conn_get_domain_short      (adcli_conn *conn);
 
 const char *        adcli_conn_get_domain_sid        (adcli_conn *conn);
diff --git a/tools/computer.c b/tools/computer.c
index 840e334..292c4d8 100644
--- a/tools/computer.c
+++ b/tools/computer.c
@@ -113,12 +113,14 @@ typedef enum {
 	opt_add_service_principal,
 	opt_remove_service_principal,
 	opt_description,
+	opt_use_ldaps,
 } Option;
 
 static adcli_tool_desc common_usages[] = {
 	{ opt_domain, "active directory domain name" },
 	{ opt_domain_realm, "kerberos realm for the domain" },
 	{ opt_domain_controller, "domain controller to connect to" },
+	{ opt_use_ldaps, "use LDAPS port for communication" },
 	{ opt_host_fqdn, "override the fully qualified domain name of the\n"
 	                 "local machine" },
 	{ opt_host_keytab, "filename for the host kerberos keytab" },
@@ -311,6 +313,9 @@ parse_option (Option opt,
 	case opt_description:
 		adcli_enroll_set_description (enroll, optarg);
 		return ADCLI_SUCCESS;
+	case opt_use_ldaps:
+		adcli_conn_set_use_ldaps (conn, true);
+		return ADCLI_SUCCESS;
 	case opt_verbose:
 		return ADCLI_SUCCESS;
 
@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
 		{ "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "user", required_argument, NULL, opt_login_user }, /* compat */
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,
 		{ "domain", required_argument, NULL, opt_domain },
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,
 		{ "domain", required_argument, NULL, opt_domain },
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
 		{ "login-type", required_argument, NULL, opt_login_type },
@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,
 		{ "domain", required_argument, NULL, opt_domain },
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
 		{ "no-password", no_argument, 0, opt_no_password },
@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,
 		{ "domain", required_argument, NULL, opt_domain },
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
 		{ "login-type", required_argument, NULL, opt_login_type },
diff --git a/tools/entry.c b/tools/entry.c
index f361845..05e4313 100644
--- a/tools/entry.c
+++ b/tools/entry.c
@@ -53,6 +53,7 @@ typedef enum {
 	opt_unix_gid,
 	opt_unix_shell,
 	opt_nis_domain,
+	opt_use_ldaps,
 } Option;
 
 static adcli_tool_desc common_usages[] = {
@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {
 	{ opt_domain, "active directory domain name" },
 	{ opt_domain_realm, "kerberos realm for the domain" },
 	{ opt_domain_controller, "domain directory server to connect to" },
+	{ opt_use_ldaps, "use LDAPS port for communication" },
 	{ opt_login_ccache, "kerberos credential cache file which contains\n"
 	                    "ticket to used to connect to the domain" },
 	{ opt_login_user, "user (usually administrative) login name of\n"
@@ -136,6 +138,9 @@ parse_option (Option opt,
 			stdin_password = 1;
 		}
 		return ADCLI_SUCCESS;
+	case opt_use_ldaps:
+		adcli_conn_set_use_ldaps (conn, true);
+		return ADCLI_SUCCESS;
 	case opt_verbose:
 		return ADCLI_SUCCESS;
 	default:
@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,
 		{ "domain", required_argument, NULL, opt_domain },
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
 		{ "no-password", no_argument, 0, opt_no_password },
@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,
 		{ "domain", required_argument, NULL, opt_domain },
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
 		{ "no-password", no_argument, 0, opt_no_password },
@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,
 		{ "domain", required_argument, NULL, opt_domain },
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,
 		{ "domain", required_argument, NULL, opt_domain },
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
 		{ "no-password", no_argument, 0, opt_no_password },
@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,
 		{ "domain", required_argument, NULL, opt_domain },
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
 		{ "no-password", no_argument, 0, opt_no_password },
@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,
 		{ "domain", required_argument, NULL, opt_domain },
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
 		{ "login-user", required_argument, NULL, opt_login_user },
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
 		{ "no-password", no_argument, 0, opt_no_password },
-- 
2.21.0
import adcli-0.8.2-5.el8 2020-04-28 09:35:15 +00:00			`From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Thu, 19 Dec 2019 07:22:33 +0100`
			`Subject: [PATCH 2/2] add option use-ldaps`

			`In general using the LDAP port with GSS-SPNEGO should satifiy all`
			`requirements an AD DC should have for authentication on an encrypted`
			`LDAP connection.`

			`But if e.g. the LDAP port is blocked by a firewall using the LDAPS port`
			`with TLS encryption might be an alternative. For this use case the`
			`--use-ldaps option is added.`

			`Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420`
			`---`
			`doc/adcli.xml \| 24 +++++++++++++++`
			`library/adconn.c \| 79 ++++++++++++++++++++++++++++++++++++++++++------`
			`library/adconn.h \| 4 +++`
			`tools/computer.c \| 10 ++++++`
			`tools/entry.c \| 11 +++++++`
			`5 files changed, 119 insertions(+), 9 deletions(-)`

			`diff --git a/doc/adcli.xml b/doc/adcli.xml`
			`index dd30435..acced25 100644`
			`--- a/doc/adcli.xml`
			`+++ b/doc/adcli.xml`
			`@@ -128,6 +128,30 @@`
			`If not specified, then an appropriate domain controller`
			`is automatically discovered.</para></listitem>`
			`</varlistentry>`
			`+ <varlistentry>`
			`+ <term><option>--use-ldaps</option></term>`
			`+ <listitem><para>Connect to the domain controller`
			`+ with LDAPS. By default the LDAP port is used and SASL`
			`+ GSS-SPNEGO or GSSAPI is used for authentication and to`
			`+ establish encryption. This should satisfy all`
			`+ requirements set on the server side and LDAPS should`
			`+ only be used if the LDAP port is not accessible due to`
			`+ firewalls or other reasons.</para>`
			`+ <para> Please note that the place where CA certificates`
			`+ can be found to validate the AD DC certificates`
			`+ must be configured in the OpenLDAP configuration`
			`+ file, e.g. <filename>/etc/openldap/ldap.conf</filename>.`
			`+ As an alternative it can be specified with the help of`
			`+ an environment variable, e.g.`
			`+<programlisting>`
			`+$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com`
			`+...`
			`+</programlisting>`
			`+ Please see`
			`+ <citerefentry><refentrytitle>ldap.conf</refentrytitle>`
			`+ <manvolnum>5</manvolnum></citerefentry> for details.`
			`+ </para></listitem>`
			`+ </varlistentry>`
			`<varlistentry>`
			`<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>`
			`<listitem><para>Use the specified kerberos credential`
			`diff --git a/library/adconn.c b/library/adconn.c`
			`index ffb54f9..7bab852 100644`
			`--- a/library/adconn.c`
			`+++ b/library/adconn.c`
			`@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {`
			`char *domain_name;`
			`char *domain_realm;`
			`char *domain_controller;`
			`+ bool use_ldaps;`
			`char *canonical_host;`
			`char *domain_short;`
			`char *domain_sid;`
			`@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap`

			`static LDAP *`
			`connect_to_address (const char *host,`
			`- const char *canonical_host)`
			`+ const char *canonical_host,`
			`+ bool use_ldaps)`
			`{`
			`struct addrinfo *res = NULL;`
			`struct addrinfo *ai;`
			`@@ -783,6 +785,16 @@ connect_to_address (const char *host,`
			`char *url;`
			`int sock;`
			`int rc;`
			`+ int opt_rc;`
			`+ const char *port = "389";`
			`+ const char *proto = "ldap";`
			`+ const char *errmsg = NULL;`
			`+`
			`+ if (use_ldaps) {`
			`+ port = "636";`
			`+ proto = "ldaps";`
			`+ _adcli_info ("Using LDAPS to connect to %s", host);`
			`+ }`

			`memset (&hints, '\0', sizeof(hints));`
			`#ifdef AI_ADDRCONFIG`
			`@@ -794,7 +806,7 @@ connect_to_address (const char *host,`
			`if (!canonical_host)`
			`canonical_host = host;`

			`- rc = getaddrinfo (host, "389", &hints, &res);`
			`+ rc = getaddrinfo (host, port, &hints, &res);`
			`if (rc != 0) {`
			`_adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));`
			`return NULL;`
			`@@ -810,7 +822,7 @@ connect_to_address (const char *host,`
			`close (sock);`
			`} else {`
			`error = 0;`
			`- if (asprintf (&url, "ldap://%s", canonical_host) < 0)`
			`+ if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)`
			`return_val_if_reached (NULL);`
			`rc = ldap_init_fd (sock, 1, url, &ldap);`
			`free (url);`
			`@@ -820,6 +832,25 @@ connect_to_address (const char *host,`
			`ldap_err2string (rc));`
			`break;`
			`}`
			`+`
			`+ if (use_ldaps) {`
			`+ rc = ldap_install_tls (ldap);`
			`+ if (rc != LDAP_SUCCESS) {`
			`+ opt_rc = ldap_get_option (ldap,`
			`+ LDAP_OPT_DIAGNOSTIC_MESSAGE,`
			`+ (void *) &errmsg);`
			`+ if (opt_rc != LDAP_SUCCESS) {`
			`+ errmsg = NULL;`
			`+ }`
			`+ _adcli_err ("Couldn't initialize TLS [%s]: %s",`
			`+ ldap_err2string (rc),`
			`+ errmsg == NULL ? "- no details -"`
			`+ : errmsg);`
			`+ ldap_unbind_ext_s (ldap, NULL, NULL);`
			`+ ldap = NULL;`
			`+ break;`
			`+ }`
			`+ }`
			`}`
			`}`

			`@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,`
			`if (!canonical_host)`
			`canonical_host = disco->host_addr;`

			`- ldap = connect_to_address (disco->host_addr, canonical_host);`
			`+ ldap = connect_to_address (disco->host_addr, canonical_host,`
			`+ adcli_conn_get_use_ldaps (conn));`
			`if (ldap == NULL)`
			`return ADCLI_ERR_DIRECTORY;`

			`@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)`
			`status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);`
			`return_unexpected_if_fail (status == 0);`

			`- /* Clumsily tell ldap + cyrus-sasl that we want encryption */`
			`- ssf = 1;`
			`- ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);`
			`- return_unexpected_if_fail (ret == 0);`
			`+ if (adcli_conn_get_use_ldaps (conn)) {`
			`+ /* do not use SASL encryption on LDAPS connection */`
			`+ ssf = 0;`
			`+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);`
			`+ return_unexpected_if_fail (ret == 0);`
			`+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf);`
			`+ return_unexpected_if_fail (ret == 0);`
			`+ } else {`
			`+ /* Clumsily tell ldap + cyrus-sasl that we want encryption */`
			`+ ssf = 1;`
			`+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);`
			`+ return_unexpected_if_fail (ret == 0);`
			`+ }`

			`- if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {`
			`+ /* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if`
			`+ * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used`
			`+ * without LDAPS. */`
			`+ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")`
			`+ && !adcli_conn_get_use_ldaps (conn)) {`
			`mech = "GSS-SPNEGO";`
			`}`
			`+ _adcli_info ("Using %s for SASL bind", mech);`

			`ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,`
			`LDAP_SASL_QUIET, sasl_interact, NULL);`
			`@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)`
			`conn->refs = 1;`
			`conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT \| ADCLI_LOGIN_USER_ACCOUNT;`
			`adcli_conn_set_domain_name (conn, domain_name);`
			`+ adcli_conn_set_use_ldaps (conn, false);`
			`return conn;`
			`}`

			`@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,`
			`no_more_disco (conn);`
			`}`

			`+bool`
			`+adcli_conn_get_use_ldaps (adcli_conn *conn)`
			`+{`
			`+ return_val_if_fail (conn != NULL, NULL);`
			`+ return conn->use_ldaps;`
			`+}`
			`+`
			`+void`
			`+adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)`
			`+{`
			`+ return_if_fail (conn != NULL);`
			`+ conn->use_ldaps = value;`
			`+}`
			`+`
			`const char *`
			`adcli_conn_get_domain_short (adcli_conn *conn)`
			`{`
			`diff --git a/library/adconn.h b/library/adconn.h`
			`index 37ebdd9..1d5faa8 100644`
			`--- a/library/adconn.h`
			`+++ b/library/adconn.h`
			`@@ -89,6 +89,10 @@ const char * adcli_conn_get_domain_controller (adcli_conn *conn);`
			`void adcli_conn_set_domain_controller (adcli_conn *conn,`
			`const char *value);`

			`+bool adcli_conn_get_use_ldaps (adcli_conn *conn);`
			`+void adcli_conn_set_use_ldaps (adcli_conn *conn,`
			`+ bool value);`
			`+`
			`const char * adcli_conn_get_domain_short (adcli_conn *conn);`

			`const char * adcli_conn_get_domain_sid (adcli_conn *conn);`
			`diff --git a/tools/computer.c b/tools/computer.c`
			`index 840e334..292c4d8 100644`
			`--- a/tools/computer.c`
			`+++ b/tools/computer.c`
			`@@ -113,12 +113,14 @@ typedef enum {`
			`opt_add_service_principal,`
			`opt_remove_service_principal,`
			`opt_description,`
			`+ opt_use_ldaps,`
			`} Option;`

			`static adcli_tool_desc common_usages[] = {`
			`{ opt_domain, "active directory domain name" },`
			`{ opt_domain_realm, "kerberos realm for the domain" },`
			`{ opt_domain_controller, "domain controller to connect to" },`
			`+ { opt_use_ldaps, "use LDAPS port for communication" },`
			`{ opt_host_fqdn, "override the fully qualified domain name of the\n"`
			`"local machine" },`
			`{ opt_host_keytab, "filename for the host kerberos keytab" },`
			`@@ -311,6 +313,9 @@ parse_option (Option opt,`
			`case opt_description:`
			`adcli_enroll_set_description (enroll, optarg);`
			`return ADCLI_SUCCESS;`
			`+ case opt_use_ldaps:`
			`+ adcli_conn_set_use_ldaps (conn, true);`
			`+ return ADCLI_SUCCESS;`
			`case opt_verbose:`
			`return ADCLI_SUCCESS;`

			`@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`{ "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "user", required_argument, NULL, opt_login_user }, /* compat */`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,`
			`{ "domain", required_argument, NULL, opt_domain },`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "domain-ou", required_argument, NULL, opt_domain_ou },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,`
			`{ "domain", required_argument, NULL, opt_domain },`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`{ "login-type", required_argument, NULL, opt_login_type },`
			`@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,`
			`{ "domain", required_argument, NULL, opt_domain },`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`{ "no-password", no_argument, 0, opt_no_password },`
			`@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,`
			`{ "domain", required_argument, NULL, opt_domain },`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`{ "login-type", required_argument, NULL, opt_login_type },`
			`diff --git a/tools/entry.c b/tools/entry.c`
			`index f361845..05e4313 100644`
			`--- a/tools/entry.c`
			`+++ b/tools/entry.c`
			`@@ -53,6 +53,7 @@ typedef enum {`
			`opt_unix_gid,`
			`opt_unix_shell,`
			`opt_nis_domain,`
			`+ opt_use_ldaps,`
			`} Option;`

			`static adcli_tool_desc common_usages[] = {`
			`@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {`
			`{ opt_domain, "active directory domain name" },`
			`{ opt_domain_realm, "kerberos realm for the domain" },`
			`{ opt_domain_controller, "domain directory server to connect to" },`
			`+ { opt_use_ldaps, "use LDAPS port for communication" },`
			`{ opt_login_ccache, "kerberos credential cache file which contains\n"`
			`"ticket to used to connect to the domain" },`
			`{ opt_login_user, "user (usually administrative) login name of\n"`
			`@@ -136,6 +138,9 @@ parse_option (Option opt,`
			`stdin_password = 1;`
			`}`
			`return ADCLI_SUCCESS;`
			`+ case opt_use_ldaps:`
			`+ adcli_conn_set_use_ldaps (conn, true);`
			`+ return ADCLI_SUCCESS;`
			`case opt_verbose:`
			`return ADCLI_SUCCESS;`
			`default:`
			`@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,`
			`{ "domain", required_argument, NULL, opt_domain },`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`{ "no-password", no_argument, 0, opt_no_password },`
			`@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,`
			`{ "domain", required_argument, NULL, opt_domain },`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`{ "no-password", no_argument, 0, opt_no_password },`
			`@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,`
			`{ "domain", required_argument, NULL, opt_domain },`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "domain-ou", required_argument, NULL, opt_domain_ou },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,`
			`{ "domain", required_argument, NULL, opt_domain },`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`{ "no-password", no_argument, 0, opt_no_password },`
			`@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,`
			`{ "domain", required_argument, NULL, opt_domain },`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`{ "no-password", no_argument, 0, opt_no_password },`
			`@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,`
			`{ "domain", required_argument, NULL, opt_domain },`
			`{ "domain-realm", required_argument, NULL, opt_domain_realm },`
			`{ "domain-controller", required_argument, NULL, opt_domain_controller },`
			`+ { "use-ldaps", no_argument, 0, opt_use_ldaps },`
			`{ "login-user", required_argument, NULL, opt_login_user },`
			`{ "login-ccache", optional_argument, NULL, opt_login_ccache },`
			`{ "no-password", no_argument, 0, opt_no_password },`
			`--`
			`2.21.0`