From d702d594e380a1d0f0e937524bdd8a3eabc9bdf1 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 27 Sep 2019 13:45:13 +0200

Subject: [PATCH 13/13] ad: set min and max ssf for ldaps

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

AD does not allow to use encryption in the TLS and SASL layer at the

same time. To be able to use ldaps this patch sets min and max ssf to 0

if ldaps should be used.

Related to https://pagure.io/SSSD/sssd/issue/4131

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

 src/providers/ad/ad_common.c     | 21 +++++++++++++++++++++

 src/providers/ad/ad_common.h     |  2 ++

 src/providers/ad/ad_subdomains.c |  4 ++++

 3 files changed, 27 insertions(+)

diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c

index a2369166a..51300f5b2 100644

--- a/src/providers/ad/ad_common.c

+++ b/src/providers/ad/ad_common.c

@@ -1021,6 +1021,23 @@ done:

     return;

 }

+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts)

+{

+    int ret;

+

+    DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n");

+    ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Failed to set SASL minssf for ldaps usage, ignored.\n");

+    }

+    ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Failed to set SASL maxssf for ldaps usage, ignored.\n");

+    }

+}

+

 static errno_t

 ad_set_sdap_options(struct ad_options *ad_opts,

                     struct sdap_options *id_opts)

@@ -1079,6 +1096,10 @@ ad_set_sdap_options(struct ad_options *ad_opts,

         goto done;

     }

+    if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) {

+        ad_set_ssf_for_ldaps(id_opts);

+    }

+

     /* Warn if the user is doing something silly like overriding the schema

      * with the AD provider

      */

diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h

index 820e06124..d23aee616 100644

--- a/src/providers/ad/ad_common.h

+++ b/src/providers/ad/ad_common.h

@@ -181,6 +181,8 @@ errno_t

 ad_get_dyndns_options(struct be_ctx *be_ctx,

                       struct ad_options *ad_opts);

+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts);

+

 struct ad_id_ctx *

 ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx);

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c

index d8c201437..a9c6b9f28 100644

--- a/src/providers/ad/ad_subdomains.c

+++ b/src/providers/ad/ad_subdomains.c

@@ -328,6 +328,10 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,

         return ret;

     }

+    if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) {

+        ad_set_ssf_for_ldaps(ad_options->id);

+    }

+

     ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,

                                     ad_options->id->basic,

                                     be_ctx->cdb, subdom_conf_path,

-- 

2.20.1