|
 |
f49ad6f |
From b53c3e5fb5c90813ce1b47ddc570dd9c800232f9 Mon Sep 17 00:00:00 2001
|
|
|
f49ad6f |
From: Sumit Bose <sbose@redhat.com>
|
|
|
f49ad6f |
Date: Fri, 3 Jul 2020 17:18:27 +0200
|
|
|
f49ad6f |
Subject: [PATCH 2/4] Use startTLS with FreeIPA
|
|
|
f49ad6f |
|
|
|
f49ad6f |
FreeIPA is planning to required a minimal security strength factor (ssf)
|
|
|
f49ad6f |
in an upcoming version. This basically means that communication should
|
|
|
f49ad6f |
be encrypted. The most straight forward way is use TLS by doing a
|
|
|
f49ad6f |
StartLS operation after the rootDSE lookup. Since FreeIPA supports TLS
|
|
|
f49ad6f |
since the initial release we will call StartTLS unconditionally but try
|
|
|
f49ad6f |
without if it fails.
|
|
|
f49ad6f |
|
|
|
f49ad6f |
Resolves: https://gitlab.freedesktop.org/realmd/realmd/-/issues/23
|
|
|
f49ad6f |
---
|
|
|
f49ad6f |
service/realm-disco-rootdse.c | 23 +++++++++++++++++++++++
|
|
|
f49ad6f |
service/realm-ldap.c | 4 +++-
|
|
|
f49ad6f |
2 files changed, 26 insertions(+), 1 deletion(-)
|
|
|
f49ad6f |
|
|
|
f49ad6f |
diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
|
|
|
f49ad6f |
index 3100650..7614071 100644
|
|
|
f49ad6f |
--- a/service/realm-disco-rootdse.c
|
|
|
f49ad6f |
+++ b/service/realm-disco-rootdse.c
|
|
|
f49ad6f |
@@ -226,10 +226,33 @@ request_domain_info (GTask *task,
|
|
|
f49ad6f |
LDAP *ldap)
|
|
|
f49ad6f |
{
|
|
|
f49ad6f |
const char *attrs[] = { "info", "associatedDomain", NULL };
|
|
|
f49ad6f |
+ int ret;
|
|
|
f49ad6f |
+ int ldap_opt_val;
|
|
|
f49ad6f |
|
|
|
f49ad6f |
clo->request = NULL;
|
|
|
f49ad6f |
clo->result = result_domain_info;
|
|
|
f49ad6f |
|
|
|
f49ad6f |
+ /* Trying to setup a TLS tunnel in the case the IPA server requires an
|
|
|
f49ad6f |
+ * encrypted connected. Trying without in case of an error. Since we
|
|
|
f49ad6f |
+ * most probably do not have the IPA CA certificate we will not check
|
|
|
f49ad6f |
+ * the server certificate. */
|
|
|
f49ad6f |
+ ldap_opt_val = LDAP_OPT_X_TLS_NEVER;
|
|
|
f49ad6f |
+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_opt_val);
|
|
|
f49ad6f |
+ if (ret != LDAP_OPT_SUCCESS) {
|
|
|
f49ad6f |
+ g_debug ("Failed to disable certificate checking, trying without");
|
|
|
f49ad6f |
+ }
|
|
|
f49ad6f |
+
|
|
|
f49ad6f |
+ ldap_opt_val = 0;
|
|
|
f49ad6f |
+ ret = ldap_set_option (ldap, LDAP_OPT_X_TLS_NEWCTX, &ldap_opt_val);
|
|
|
f49ad6f |
+ if (ret != LDAP_OPT_SUCCESS) {
|
|
|
f49ad6f |
+ g_debug ("Failed to refresh LDAP context for TLS, trying without");
|
|
|
f49ad6f |
+ }
|
|
|
f49ad6f |
+
|
|
|
f49ad6f |
+ ret = ldap_start_tls_s (ldap, NULL, NULL);
|
|
|
f49ad6f |
+ if (ret != LDAP_SUCCESS) {
|
|
|
f49ad6f |
+ g_debug ("Failed to setup TLS tunnel, trying without");
|
|
|
f49ad6f |
+ }
|
|
|
f49ad6f |
+
|
|
|
f49ad6f |
return search_ldap (task, clo, ldap, clo->default_naming_context,
|
|
|
f49ad6f |
LDAP_SCOPE_BASE, NULL, attrs);
|
|
|
f49ad6f |
}
|
|
|
f49ad6f |
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
|
|
|
f49ad6f |
index 59817fb..7831b5b 100644
|
|
|
f49ad6f |
--- a/service/realm-ldap.c
|
|
|
f49ad6f |
+++ b/service/realm-ldap.c
|
|
|
f49ad6f |
@@ -238,7 +238,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
|
|
|
f49ad6f |
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
|
|
|
f49ad6f |
g_warning ("couldn't set to blocking");
|
|
|
f49ad6f |
|
|
|
f49ad6f |
- rc = ldap_init_fd (ls->sock, 1, NULL, &ls->ldap);
|
|
|
f49ad6f |
+ url = g_strdup_printf ("ldap://%s:%d", addrname, port);
|
|
|
f49ad6f |
+ rc = ldap_init_fd (ls->sock, 1, url, &ls->ldap);
|
|
|
f49ad6f |
+ g_free (url);
|
|
|
f49ad6f |
|
|
|
f49ad6f |
g_free (native);
|
|
|
f49ad6f |
|
|
|
f49ad6f |
--
|
|
|
f49ad6f |
2.26.2
|
|
|
f49ad6f |
|