104 lines
3.8 KiB
Diff
104 lines
3.8 KiB
Diff
From a1c732637f1ed984e1ff76fa8179d6fd3aa036fb Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Mon, 18 Nov 2019 17:42:11 +0100
|
|
Subject: [PATCH 206/208] param: Do not use weak crypto in ldap server if
|
|
disallowed
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
.../ldap/ldapserverrequirestrongauth.xml | 5 +++++
|
|
lib/param/loadparm.c | 8 ++++++++
|
|
source3/include/proto.h | 1 +
|
|
source3/param/loadparm.c | 14 +++++++++++++-
|
|
4 files changed, 27 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
|
|
index 02bdd811491..e40ac06dfe6 100644
|
|
--- a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
|
|
+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
|
|
@@ -2,6 +2,7 @@
|
|
context="G"
|
|
type="enum"
|
|
enumlist="enum_ldap_server_require_strong_auth_vals"
|
|
+ function="_ldap_server_require_strong_auth"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>
|
|
@@ -21,6 +22,10 @@
|
|
<para>A value of <emphasis>yes</emphasis> allows only simple binds
|
|
over TLS encrypted connections. Unencrypted connections only
|
|
allow sasl binds with sign or seal.</para>
|
|
+
|
|
+ <para>If weak cryptography is not allowed by the system, then this
|
|
+ variable will default to <constant>allow_sasl_over_tls</constant>
|
|
+ and setting it to <constant>no</constant> will not have any effect.</para>
|
|
</description>
|
|
<value type="default">yes</value>
|
|
</samba:parameter>
|
|
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
index 41a4c110195..b1497f00aaa 100644
|
|
--- a/lib/param/loadparm.c
|
|
+++ b/lib/param/loadparm.c
|
|
@@ -105,6 +105,14 @@ int lpcfg_kerberos_encryption_types(struct loadparm_context *lp_ctx)
|
|
return lpcfg__kerberos_encryption_types(lp_ctx);
|
|
}
|
|
|
|
+enum ldap_server_require_strong_auth lpcfg_ldap_server_require_strong_auth(struct loadparm_context *lp_ctx)
|
|
+{
|
|
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
+ return LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
|
|
+ }
|
|
+
|
|
+ return lpcfg__ldap_server_require_strong_auth(lp_ctx);
|
|
+}
|
|
|
|
enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx)
|
|
{
|
|
diff --git a/source3/include/proto.h b/source3/include/proto.h
|
|
index aaa101fc63c..c758c31ea67 100644
|
|
--- a/source3/include/proto.h
|
|
+++ b/source3/include/proto.h
|
|
@@ -756,6 +756,7 @@ int lp_rpc_low_port(void);
|
|
int lp_rpc_high_port(void);
|
|
bool lp_lanman_auth(void);
|
|
int lp_kerberos_encryption_types(void);
|
|
+enum ldap_server_require_strong_auth lp_ldap_server_require_strong_auth(void);
|
|
enum samba_weak_crypto lp_weak_crypto(void);
|
|
|
|
int lp_wi_scan_global_parametrics(
|
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
index e68140ae5f0..da2af1f9f46 100644
|
|
--- a/source3/param/loadparm.c
|
|
+++ b/source3/param/loadparm.c
|
|
@@ -754,7 +754,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|
|
|
Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
|
|
|
|
- Globals.ldap_server_require_strong_auth =
|
|
+ Globals._ldap_server_require_strong_auth =
|
|
LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
|
|
|
|
/* This is what we tell the afs client. in reality we set the token
|
|
@@ -4688,6 +4688,18 @@ int lp_kerberos_encryption_types(void)
|
|
return lp__kerberos_encryption_types();
|
|
}
|
|
|
|
+enum ldap_server_require_strong_auth lp_ldap_server_require_strong_auth(void)
|
|
+{
|
|
+ enum ldap_server_require_strong_auth a =
|
|
+ lp__ldap_server_require_strong_auth();
|
|
+
|
|
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
+ return MAX(a, LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS);
|
|
+ }
|
|
+
|
|
+ return a;
|
|
+}
|
|
+
|
|
struct loadparm_global * get_globals(void)
|
|
{
|
|
return &Globals;
|
|
--
|
|
2.23.0
|
|
|