92 lines
3.0 KiB
Diff
92 lines
3.0 KiB
Diff
From 24387e19f065e6a585b1120d5568cb4df271d102 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Fri, 27 Sep 2019 13:45:13 +0200
|
|
Subject: [PATCH 15/15] ad: set min and max ssf for ldaps
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
AD does not allow to use encryption in the TLS and SASL layer at the
|
|
same time. To be able to use ldaps this patch sets min and max ssf to 0
|
|
if ldaps should be used.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/4131
|
|
|
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
---
|
|
src/providers/ad/ad_common.c | 21 +++++++++++++++++++++
|
|
src/providers/ad/ad_common.h | 2 ++
|
|
src/providers/ad/ad_subdomains.c | 4 ++++
|
|
3 files changed, 27 insertions(+)
|
|
|
|
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
|
index a2369166a..51300f5b2 100644
|
|
--- a/src/providers/ad/ad_common.c
|
|
+++ b/src/providers/ad/ad_common.c
|
|
@@ -1021,6 +1021,23 @@ done:
|
|
return;
|
|
}
|
|
|
|
+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts)
|
|
+{
|
|
+ int ret;
|
|
+
|
|
+ DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n");
|
|
+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Failed to set SASL minssf for ldaps usage, ignored.\n");
|
|
+ }
|
|
+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Failed to set SASL maxssf for ldaps usage, ignored.\n");
|
|
+ }
|
|
+}
|
|
+
|
|
static errno_t
|
|
ad_set_sdap_options(struct ad_options *ad_opts,
|
|
struct sdap_options *id_opts)
|
|
@@ -1079,6 +1096,10 @@ ad_set_sdap_options(struct ad_options *ad_opts,
|
|
goto done;
|
|
}
|
|
|
|
+ if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) {
|
|
+ ad_set_ssf_for_ldaps(id_opts);
|
|
+ }
|
|
+
|
|
/* Warn if the user is doing something silly like overriding the schema
|
|
* with the AD provider
|
|
*/
|
|
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
|
index 44da58fa0..8b7a86102 100644
|
|
--- a/src/providers/ad/ad_common.h
|
|
+++ b/src/providers/ad/ad_common.h
|
|
@@ -182,6 +182,8 @@ errno_t
|
|
ad_get_dyndns_options(struct be_ctx *be_ctx,
|
|
struct ad_options *ad_opts);
|
|
|
|
+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts);
|
|
+
|
|
struct ad_id_ctx *
|
|
ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx);
|
|
|
|
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
index d8c201437..a9c6b9f28 100644
|
|
--- a/src/providers/ad/ad_subdomains.c
|
|
+++ b/src/providers/ad/ad_subdomains.c
|
|
@@ -328,6 +328,10 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
return ret;
|
|
}
|
|
|
|
+ if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) {
|
|
+ ad_set_ssf_for_ldaps(ad_options->id);
|
|
+ }
|
|
+
|
|
ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
|
|
ad_options->id->basic,
|
|
be_ctx->cdb, subdom_conf_path,
|
|
--
|
|
2.20.1
|
|
|