rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Revert MINSSF defaults because realmd cannot join FreeIPA right now

Browse Source 
realmd uses anonymous LDAP connection for the discovery and validation
and fails to validate it is joining FreeIPA server.
This commit is contained in:
Alexander Bokovoy 2019-05-01 21:29:12 +03:00
parent 7eef088ee0
commit 3eda80f6d8
2 changed files with 142 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
0001-revert-minssf-defaults.patch Normal file
View File

@ -0,0 +1,136 @@
From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 1 May 2019 21:25:31 +0300
Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
---
install/share/Makefile.am | 1 -
install/share/min-ssf.ldif | 14 --------------
ipalib/constants.py | 3 ---
ipapython/ipaldap.py | 17 ++---------------
ipaserver/install/dsinstance.py | 5 -----
5 files changed, 2 insertions(+), 38 deletions(-)
delete mode 100644 install/share/min-ssf.ldif
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index be83bdf75..8d039d95c 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -94,7 +94,6 @@ dist_app_DATA = \
ipa-kdc-proxy.conf.template \
ipa-pki-proxy.conf.template \
ipa-rewrite.conf.template \
- min-ssf.ldif \
ipaca_default.ini \
ipaca_customize.ini \
ipaca_softhsm2.ini \
diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
deleted file mode 100644
index 1c2566f84..000000000
--- a/install/share/min-ssf.ldif
+++ /dev/null
@@ -1,14 +0,0 @@
-# config
-# pretend SSF for LDAPI connections
-# nsslapd-localssf must be equal to or greater than nsslapd-minssf
-dn: cn=config
-changetype: modify
-replace: nsslapd-localssf
-nsslapd-localssf: 256
-
-# minimum security strength factor for SASL and TLS
-# 56 is considered weak, but some old clients announce wrong SSF.
-dn: cn=config
-changetype: modify
-replace: nsslapd-minssf
-nsslapd-minssf: 56
diff --git a/ipalib/constants.py b/ipalib/constants.py
index bcf6f3373..c22dd26ae 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -311,9 +311,6 @@ TLS_VERSIONS = [
]
TLS_VERSION_MINIMAL = "tls1.0"
-# minimum SASL secure strength factor for LDAP connections
-# 56 provides backwards compatibility with old libraries.
-LDAP_SSF_MIN_THRESHOLD = 56
# Use cache path
USER_CACHE_PATH = (
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index d9d67be1d..9ff443fe4 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -43,9 +43,7 @@ import six
# pylint: disable=ipa-forbidden-import
from ipalib import errors, x509, _
-from ipalib.constants import (
- LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
-)
+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
# pylint: enable=ipa-forbidden-import
from ipaplatform.paths import paths
from ipapython.ipautil import format_netloc, CIDict
@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
-def ldap_initialize(uri, cacertfile=None,
- ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
+def ldap_initialize(uri, cacertfile=None):
"""Wrapper around ldap.initialize()
The function undoes global and local ldap.conf settings that may cause
@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
locations, also known as system-wide trust store.
* Cert validation is enforced.
* SSLv2 and SSLv3 are disabled.
- * Require a minimum SASL security factor of 56. That level ensures
- data integrity and confidentiality. Although at least AES128 is
- enforced pretty much everywhere, 56 is required for backwards
- compatibility with systems that announce wrong SSF.
"""
conn = ldap.initialize(uri)
@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
if not uri.startswith('ldapi://'):
- # require a minimum SSF for TCP connections, but don't lower SSF_MIN
- # if the current value is already larger.
- cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
- if cur_min_ssf < ssf_min_threshold:
- conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
-
if cacertfile:
if not os.path.isfile(cacertfile):
raise IOError(errno.ENOENT, cacertfile)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 8240e3043..9f05db1db 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -324,8 +324,6 @@ class DsInstance(service.Service):
else:
self.step("importing CA certificates from LDAP",
self.__import_ca_certs)
- # set min SSF after DS is configured for TLS
- self.step("require minimal SSF", self.__min_ssf)
self.step("restarting directory server", self.__restart_instance)
self.start_creation()
@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
dm_password=self.dm_password
)
- def __min_ssf(self):
- self._ldap_mod("min-ssf.ldif")
-
def __add_sudo_binduser(self):
self._ldap_mod("sudobind.ldif", self.sub_dict)
--
2.21.0

7
freeipa.spec
View File

@ -135,13 +135,14 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 1%{?dist}
Release: 2%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
Patch0001: 0001-revert-minssf-defaults.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@ -1306,6 +1307,10 @@ fi
%changelog
* Wed May 1 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-2
- Revert MINSSF defaults because realmd cannot join FreeIPA right now
as it uses anonymous LDAP connection for the discovery and validation
* Mon Apr 29 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-1
- First release candidate for FreeIPA 4.8.0