dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0021-LDAP-Bind-to-the-LDAP-server-also-in-the-auth.patch

9f2ebf
From 7ebfab326f94e508ce2910c7242a8dd7652ec8a2 Mon Sep 17 00:00:00 2001
9f2ebf
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
9f2ebf
Date: Wed, 25 Oct 2017 11:25:09 +0200
9f2ebf
Subject: [PATCH 21/21] LDAP: Bind to the LDAP server also in the auth
9f2ebf
MIME-Version: 1.0
9f2ebf
Content-Type: text/plain; charset=UTF-8
9f2ebf
Content-Transfer-Encoding: 8bit
9f2ebf
9f2ebf
When dealing with id_provider not being the same as auth_provider, SSSD
9f2ebf
has to bind the DN of the user which wants to authenticate with the
9f2ebf
ldap_default_bind_dn and the password provided by the user.
9f2ebf
9f2ebf
In order to do so, the least intrusive way is just by replacing
9f2ebf
sdap_connect*() functions by sdap_cli_connect*() functions in the LDAP's
9f2ebf
auth module.
9f2ebf
9f2ebf
The simple change also allowed us to remove some code that is already
9f2ebf
executed as part of sdap_cli_connect*() and some functions had their
9f2ebf
names adapted to reflect better their new purpose.
9f2ebf
9f2ebf
Resolves:
9f2ebf
https://pagure.io/SSSD/sssd/issue/3451
9f2ebf
9f2ebf
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
9f2ebf
Reviewed-by: Sumit Bose <sbose@redhat.com>
9f2ebf
(cherry picked from commit add72860c7a7a2c418f4d8b6790b5caeaf7dfb7b)
9f2ebf
---
9f2ebf
 src/providers/ldap/ldap_auth.c | 114 +++++++++--------------------------------
9f2ebf
 1 file changed, 25 insertions(+), 89 deletions(-)
9f2ebf
9f2ebf
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
9f2ebf
index 00ddd889b6294e457c13218491547b84f1468266..a3b1480aae4272d2e10f105a1eaf3a5816c3487c 100644
9f2ebf
--- a/src/providers/ldap/ldap_auth.c
9f2ebf
+++ b/src/providers/ldap/ldap_auth.c
9f2ebf
@@ -619,14 +619,11 @@ struct auth_state {
9f2ebf
     char *dn;
9f2ebf
     enum pwexpire pw_expire_type;
9f2ebf
     void *pw_expire_data;
9f2ebf
-
9f2ebf
-    struct fo_server *srv;
9f2ebf
 };
9f2ebf
 
9f2ebf
-static struct tevent_req *auth_get_server(struct tevent_req *req);
9f2ebf
+static struct tevent_req *auth_connect_send(struct tevent_req *req);
9f2ebf
 static void auth_get_dn_done(struct tevent_req *subreq);
9f2ebf
 static void auth_do_bind(struct tevent_req *req);
9f2ebf
-static void auth_resolve_done(struct tevent_req *subreq);
9f2ebf
 static void auth_connect_done(struct tevent_req *subreq);
9f2ebf
 static void auth_bind_user_done(struct tevent_req *subreq);
9f2ebf
 
9f2ebf
@@ -659,7 +656,6 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
9f2ebf
     state->ctx = ctx;
9f2ebf
     state->username = username;
9f2ebf
     state->authtok = authtok;
9f2ebf
-    state->srv = NULL;
9f2ebf
     if (try_chpass_service && ctx->chpass_service != NULL &&
9f2ebf
         ctx->chpass_service->name != NULL) {
9f2ebf
         state->sdap_service = ctx->chpass_service;
9f2ebf
@@ -667,7 +663,7 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
9f2ebf
         state->sdap_service = ctx->service;
9f2ebf
     }
9f2ebf
 
9f2ebf
-    if (!auth_get_server(req)) goto fail;
9f2ebf
+    if (!auth_connect_send(req)) goto fail;
9f2ebf
 
9f2ebf
     return req;
9f2ebf
 
9f2ebf
@@ -676,75 +672,37 @@ fail:
9f2ebf
     return NULL;
9f2ebf
 }
9f2ebf
 
9f2ebf
-static struct tevent_req *auth_get_server(struct tevent_req *req)
9f2ebf
+static struct tevent_req *auth_connect_send(struct tevent_req *req)
9f2ebf
 {
9f2ebf
-    struct tevent_req *next_req;
9f2ebf
+    struct tevent_req *subreq;
9f2ebf
     struct auth_state *state = tevent_req_data(req,
9f2ebf
                                                struct auth_state);
9f2ebf
-
9f2ebf
-     /* NOTE: this call may cause service->uri to be refreshed
9f2ebf
-      * with a new valid server. Do not use service->uri before */
9f2ebf
-    next_req = be_resolve_server_send(state,
9f2ebf
-                                      state->ev,
9f2ebf
-                                      state->ctx->be,
9f2ebf
-                                      state->sdap_service->name,
9f2ebf
-                                      state->srv == NULL ? true : false);
9f2ebf
-    if (!next_req) {
9f2ebf
-        DEBUG(SSSDBG_CRIT_FAILURE, "be_resolve_server_send failed.\n");
9f2ebf
-        return NULL;
9f2ebf
-    }
9f2ebf
-
9f2ebf
-    tevent_req_set_callback(next_req, auth_resolve_done, req);
9f2ebf
-    return next_req;
9f2ebf
-}
9f2ebf
-
9f2ebf
-static void auth_resolve_done(struct tevent_req *subreq)
9f2ebf
-{
9f2ebf
-    struct tevent_req *req = tevent_req_callback_data(subreq,
9f2ebf
-                                                      struct tevent_req);
9f2ebf
-    struct auth_state *state = tevent_req_data(req,
9f2ebf
-                                                    struct auth_state);
9f2ebf
-    int ret;
9f2ebf
     bool use_tls;
9f2ebf
 
9f2ebf
-    ret = be_resolve_server_recv(subreq, state, &state->srv);
9f2ebf
-    talloc_zfree(subreq);
9f2ebf
-    if (ret) {
9f2ebf
-        /* all servers have been tried and none
9f2ebf
-         * was found good, go offline */
9f2ebf
-        tevent_req_error(req, ETIMEDOUT);
9f2ebf
-        return;
9f2ebf
+    /* Check for undocumented debugging feature to disable TLS
9f2ebf
+     * for authentication. This should never be used in production
9f2ebf
+     * for obvious reasons.
9f2ebf
+     */
9f2ebf
+    use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
9f2ebf
+    if (!use_tls) {
9f2ebf
+        sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
9f2ebf
+                               "insecure connection. This should be done "
9f2ebf
+                               "for debugging purposes only.");
9f2ebf
     }
9f2ebf
 
9f2ebf
-    /* Determine whether we need to use TLS */
9f2ebf
-    if (sdap_is_secure_uri(state->ctx->service->uri)) {
9f2ebf
-        DEBUG(SSSDBG_TRACE_INTERNAL,
9f2ebf
-              "[%s] is a secure channel. No need to run START_TLS\n",
9f2ebf
-                  state->ctx->service->uri);
9f2ebf
-        use_tls = false;
9f2ebf
-    } else {
9f2ebf
+    subreq = sdap_cli_connect_send(state, state->ev, state->ctx->opts,
9f2ebf
+                                   state->ctx->be,
9f2ebf
+                                   state->sdap_service, false,
9f2ebf
+                                   use_tls ? CON_TLS_ON : CON_TLS_OFF, false);
9f2ebf
 
9f2ebf
-        /* Check for undocumented debugging feature to disable TLS
9f2ebf
-         * for authentication. This should never be used in production
9f2ebf
-         * for obvious reasons.
9f2ebf
-         */
9f2ebf
-        use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
9f2ebf
-        if (!use_tls) {
9f2ebf
-            sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
9f2ebf
-                                   "insecure connection. This should be done "
9f2ebf
-                                   "for debugging purposes only.");
9f2ebf
-        }
9f2ebf
-    }
9f2ebf
-
9f2ebf
-    subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
9f2ebf
-                               state->sdap_service->uri,
9f2ebf
-                               state->sdap_service->sockaddr, use_tls);
9f2ebf
-    if (!subreq) {
9f2ebf
+    if (subreq == NULL) {
9f2ebf
         tevent_req_error(req, ENOMEM);
9f2ebf
-        return;
9f2ebf
+        return NULL;
9f2ebf
     }
9f2ebf
 
9f2ebf
     tevent_req_set_callback(subreq, auth_connect_done, req);
9f2ebf
+
9f2ebf
+    return subreq;
9f2ebf
 }
9f2ebf
 
9f2ebf
 static void auth_connect_done(struct tevent_req *subreq)
9f2ebf
@@ -755,35 +713,13 @@ static void auth_connect_done(struct tevent_req *subreq)
9f2ebf
                                                     struct auth_state);
9f2ebf
     int ret;
9f2ebf
 
9f2ebf
-    ret = sdap_connect_recv(subreq, state, &state->sh);
9f2ebf
+    ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL);
9f2ebf
     talloc_zfree(subreq);
9f2ebf
-    if (ret) {
9f2ebf
-        if (state->srv) {
9f2ebf
-            /* mark this server as bad if connection failed */
9f2ebf
-            be_fo_set_port_status(state->ctx->be,
9f2ebf
-                                  state->sdap_service->name,
9f2ebf
-                                  state->srv, PORT_NOT_WORKING);
9f2ebf
-        }
9f2ebf
-
9f2ebf
-        if (auth_get_server(req) == NULL) {
9f2ebf
+    if (ret != EOK) {
9f2ebf
+        if (auth_connect_send(req) == NULL) {
9f2ebf
             tevent_req_error(req, ENOMEM);
9f2ebf
         }
9f2ebf
         return;
9f2ebf
-    } else if (state->srv) {
9f2ebf
-        be_fo_set_port_status(state->ctx->be, state->sdap_service->name,
9f2ebf
-                              state->srv, PORT_WORKING);
9f2ebf
-    }
9f2ebf
-
9f2ebf
-    /* In case the ID provider is set to proxy, this might be the first
9f2ebf
-     * LDAP operation at all, so we need to set the connection status
9f2ebf
-     */
9f2ebf
-    if (state->sh->connected == false) {
9f2ebf
-        ret = sdap_set_connected(state->sh, state->ev);
9f2ebf
-        if (ret) {
9f2ebf
-            DEBUG(SSSDBG_OP_FAILURE, "Cannot set connected status\n");
9f2ebf
-            tevent_req_error(req, ret);
9f2ebf
-            return;
9f2ebf
-        }
9f2ebf
     }
9f2ebf
 
9f2ebf
     ret = get_user_dn(state, state->ctx->be->domain,
9f2ebf
@@ -870,7 +806,7 @@ static void auth_bind_user_done(struct tevent_req *subreq)
9f2ebf
         break;
9f2ebf
     case ETIMEDOUT:
9f2ebf
     case ERR_NETWORK_IO:
9f2ebf
-        if (auth_get_server(req) == NULL) {
9f2ebf
+        if (auth_connect_send(req) == NULL) {
9f2ebf
             tevent_req_error(req, ENOMEM);
9f2ebf
         }
9f2ebf
         return;
9f2ebf
-- 
9f2ebf
2.13.5
9f2ebf