73 lines
3.1 KiB
Diff
73 lines
3.1 KiB
Diff
From 8e207fd33d524f5cde2dfd8a41a08926a328a92b Mon Sep 17 00:00:00 2001
|
|
From: Christian Heimes <cheimes@redhat.com>
|
|
Date: Tue, 13 Aug 2019 17:22:01 +0200
|
|
Subject: [PATCH] Allow insecure binds for migration
|
|
|
|
Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
|
|
over an insecure connection. Password logins were only allowed over LDAPS
|
|
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.
|
|
|
|
This commit lifts the restriction and permits insecure binds over plain
|
|
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
|
|
certificate is configured with a plain LDAP connection.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/8040
|
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
---
|
|
ipapython/ipaldap.py | 8 +++++---
|
|
ipaserver/plugins/migration.py | 9 ++++-----
|
|
2 files changed, 9 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
|
|
index 9ff443fe4f..f40858e27f 100644
|
|
--- a/ipapython/ipaldap.py
|
|
+++ b/ipapython/ipaldap.py
|
|
@@ -1206,12 +1206,14 @@ def _connect(self):
|
|
return conn
|
|
|
|
def simple_bind(self, bind_dn, bind_password, server_controls=None,
|
|
- client_controls=None):
|
|
+ client_controls=None, insecure_bind=False):
|
|
"""
|
|
Perform simple bind operation.
|
|
"""
|
|
- if self.protocol == 'ldap' and not self._start_tls and bind_password:
|
|
- # non-empty bind must use a secure connection
|
|
+ if (self.protocol == 'ldap' and not self._start_tls and
|
|
+ bind_password and not insecure_bind):
|
|
+ # non-empty bind must use a secure connection unless
|
|
+ # insecure bind is explicitly enabled
|
|
raise ValueError('simple_bind over insecure LDAP connection')
|
|
with self.error_handler():
|
|
self._flush_schema()
|
|
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
|
|
index d0ca8369ae..b025c46cc5 100644
|
|
--- a/ipaserver/plugins/migration.py
|
|
+++ b/ipaserver/plugins/migration.py
|
|
@@ -901,20 +901,19 @@ def execute(self, ldapuri, bindpw, **options):
|
|
return dict(result={}, failed={}, enabled=False, compat=True)
|
|
|
|
# connect to DS
|
|
- cacert = None
|
|
if options.get('cacertfile') is not None:
|
|
# store CA cert into file
|
|
tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
|
|
cacert = tmp_ca_cert_f.name
|
|
|
|
- # start TLS connection
|
|
- ds_ldap = LDAPClient(ldapuri, cacert=cacert)
|
|
+ # start TLS connection or STARTTLS
|
|
+ ds_ldap = LDAPClient(ldapuri, cacert=cacert, start_tls=True)
|
|
ds_ldap.simple_bind(options['binddn'], bindpw)
|
|
|
|
tmp_ca_cert_f.close()
|
|
else:
|
|
- ds_ldap = LDAPClient(ldapuri, cacert=cacert)
|
|
- ds_ldap.simple_bind(options['binddn'], bindpw)
|
|
+ ds_ldap = LDAPClient(ldapuri)
|
|
+ ds_ldap.simple_bind(options['binddn'], bindpw, insecure_bind=True)
|
|
|
|
# check whether the compat plugin is enabled
|
|
if not options.get('compat'):
|