|
 |
841ac7 |
From f5d031ba41b1c297f95df61f013f1c7ef8bca275 Mon Sep 17 00:00:00 2001
|
|
|
841ac7 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
841ac7 |
Date: Sun, 12 May 2019 16:38:43 +0200
|
|
|
841ac7 |
Subject: [PATCH 30/31] SDAP: allow GSS-SPNEGO for LDAP SASL bind as well
|
|
|
841ac7 |
|
|
|
841ac7 |
From the LDAP client perspective GSS-SPNEGO and GSSAPI are quite
|
|
|
841ac7 |
similar. To support GSS-SPNEGO SSSD must make sure that a Kerberos
|
|
|
841ac7 |
ticket is available before the LDAP SASL bind is started.
|
|
|
841ac7 |
|
|
|
841ac7 |
Related to https://pagure.io/SSSD/sssd/issue/4006
|
|
|
841ac7 |
|
|
|
841ac7 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
841ac7 |
(cherry picked from commit 3b89934e831fa4e575e398fee6e4c3d4d24854eb)
|
|
|
841ac7 |
---
|
|
|
841ac7 |
src/man/sssd-ldap.5.xml | 29 ++++++++++++----------
|
|
|
841ac7 |
src/providers/ad/ad_common.c | 6 ++---
|
|
|
841ac7 |
src/providers/ad/ad_init.c | 2 +-
|
|
|
841ac7 |
src/providers/ldap/ldap_auth.c | 10 ++++----
|
|
|
841ac7 |
src/providers/ldap/ldap_common.h | 2 +-
|
|
|
841ac7 |
src/providers/ldap/ldap_init.c | 2 +-
|
|
|
841ac7 |
src/providers/ldap/sdap.c | 9 +++++++
|
|
|
841ac7 |
src/providers/ldap/sdap.h | 2 ++
|
|
|
841ac7 |
src/providers/ldap/sdap_async_connection.c | 8 +++---
|
|
|
841ac7 |
9 files changed, 42 insertions(+), 28 deletions(-)
|
|
|
841ac7 |
|
|
|
841ac7 |
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
|
|
841ac7 |
index 25acc19e6..17c5523c0 100644
|
|
|
841ac7 |
--- a/src/man/sssd-ldap.5.xml
|
|
|
841ac7 |
+++ b/src/man/sssd-ldap.5.xml
|
|
|
841ac7 |
@@ -1805,8 +1805,8 @@
|
|
|
841ac7 |
<term>ldap_sasl_mech (string)</term>
|
|
|
841ac7 |
<listitem>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
- Specify the SASL mechanism to use.
|
|
|
841ac7 |
- Currently only GSSAPI is tested and supported.
|
|
|
841ac7 |
+ Specify the SASL mechanism to use. Currently only
|
|
|
841ac7 |
+ GSSAPI and GSS-SPNEGO are tested and supported.
|
|
|
841ac7 |
</para>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
Default: not set
|
|
|
841ac7 |
@@ -1818,13 +1818,14 @@
|
|
|
841ac7 |
<term>ldap_sasl_authid (string)</term>
|
|
|
841ac7 |
<listitem>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
- Specify the SASL authorization id to use.
|
|
|
841ac7 |
- When GSSAPI is used, this represents the Kerberos
|
|
|
841ac7 |
- principal used for authentication to the directory.
|
|
|
841ac7 |
- This option can either contain the full principal (for
|
|
|
841ac7 |
- example host/myhost@EXAMPLE.COM) or just the principal name
|
|
|
841ac7 |
- (for example host/myhost). By default, the value is not set
|
|
|
841ac7 |
- and the following principals are used:
|
|
|
841ac7 |
+ Specify the SASL authorization id to use. When
|
|
|
841ac7 |
+ GSSAPI/GSS-SPNEGO are used, this represents the
|
|
|
841ac7 |
+ Kerberos principal used for authentication to the
|
|
|
841ac7 |
+ directory. This option can either contain the full
|
|
|
841ac7 |
+ principal (for example host/myhost@EXAMPLE.COM) or
|
|
|
841ac7 |
+ just the principal name (for example host/myhost).
|
|
|
841ac7 |
+ By default, the value is not set and the following
|
|
|
841ac7 |
+ principals are used:
|
|
|
841ac7 |
<programlisting>
|
|
|
841ac7 |
hostname@REALM
|
|
|
841ac7 |
netbiosname$@REALM
|
|
|
841ac7 |
@@ -1875,7 +1876,8 @@ host/*
|
|
|
841ac7 |
<term>ldap_krb5_keytab (string)</term>
|
|
|
841ac7 |
<listitem>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
- Specify the keytab to use when using SASL/GSSAPI.
|
|
|
841ac7 |
+ Specify the keytab to use when using
|
|
|
841ac7 |
+ SASL/GSSAPI/GSS-SPNEGO.
|
|
|
841ac7 |
</para>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
Default: System keytab, normally <filename>/etc/krb5.keytab</filename>
|
|
|
841ac7 |
@@ -1890,7 +1892,7 @@ host/*
|
|
|
841ac7 |
Specifies that the id_provider should init
|
|
|
841ac7 |
Kerberos credentials (TGT).
|
|
|
841ac7 |
This action is performed only if SASL is used and
|
|
|
841ac7 |
- the mechanism selected is GSSAPI.
|
|
|
841ac7 |
+ the mechanism selected is GSSAPI or GSS-SPNEGO.
|
|
|
841ac7 |
</para>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
Default: true
|
|
|
841ac7 |
@@ -1903,7 +1905,7 @@ host/*
|
|
|
841ac7 |
<listitem>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
Specifies the lifetime in seconds of the TGT if
|
|
|
841ac7 |
- GSSAPI is used.
|
|
|
841ac7 |
+ GSSAPI or GSS-SPNEGO is used.
|
|
|
841ac7 |
</para>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
Default: 86400 (24 hours)
|
|
|
841ac7 |
@@ -1944,7 +1946,8 @@ host/*
|
|
|
841ac7 |
<term>krb5_realm (string)</term>
|
|
|
841ac7 |
<listitem>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
- Specify the Kerberos REALM (for SASL/GSSAPI auth).
|
|
|
841ac7 |
+ Specify the Kerberos REALM (for
|
|
|
841ac7 |
+ SASL/GSSAPI/GSS-SPNEGO auth).
|
|
|
841ac7 |
</para>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
Default: System defaults, see <filename>/etc/krb5.conf</filename>
|
|
|
841ac7 |
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
|
|
841ac7 |
index 4d1800806..19d4b3d5a 100644
|
|
|
841ac7 |
--- a/src/providers/ad/ad_common.c
|
|
|
841ac7 |
+++ b/src/providers/ad/ad_common.c
|
|
|
841ac7 |
@@ -577,7 +577,7 @@ _ad_servers_init(struct ad_service *service,
|
|
|
841ac7 |
if (resolv_is_address(list[j])) {
|
|
|
841ac7 |
DEBUG(SSSDBG_IMPORTANT_INFO,
|
|
|
841ac7 |
"ad_server [%s] is detected as IP address, "
|
|
|
841ac7 |
- "this can cause GSSAPI problems\n", list[j]);
|
|
|
841ac7 |
+ "this can cause GSSAPI/GSS-SPNEGO problems\n", list[j]);
|
|
|
841ac7 |
}
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
@@ -1012,7 +1012,7 @@ ad_set_sdap_options(struct ad_options *ad_opts,
|
|
|
841ac7 |
goto done;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
- /* Set the Kerberos Realm for GSSAPI */
|
|
|
841ac7 |
+ /* Set the Kerberos Realm for GSSAPI or GSS-SPNEGO */
|
|
|
841ac7 |
krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
|
|
|
841ac7 |
if (!krb5_realm) {
|
|
|
841ac7 |
/* Should be impossible, this is set in ad_get_common_options() */
|
|
|
841ac7 |
@@ -1269,7 +1269,7 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
|
|
|
841ac7 |
ad_servers);
|
|
|
841ac7 |
|
|
|
841ac7 |
/* Set krb5 realm */
|
|
|
841ac7 |
- /* Set the Kerberos Realm for GSSAPI */
|
|
|
841ac7 |
+ /* Set the Kerberos Realm for GSSAPI/GSS-SPNEGO */
|
|
|
841ac7 |
krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
|
|
|
841ac7 |
if (!krb5_realm) {
|
|
|
841ac7 |
/* Should be impossible, this is set in ad_get_common_options() */
|
|
|
841ac7 |
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
|
|
|
841ac7 |
index 612d4587e..302bcae7d 100644
|
|
|
841ac7 |
--- a/src/providers/ad/ad_init.c
|
|
|
841ac7 |
+++ b/src/providers/ad/ad_init.c
|
|
|
841ac7 |
@@ -56,7 +56,7 @@ static int ad_sasl_getopt(void *context, const char *plugin_name,
|
|
|
841ac7 |
if (!plugin_name || !result) {
|
|
|
841ac7 |
return SASL_FAIL;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
- if (strcmp(plugin_name, "GSSAPI") != 0) {
|
|
|
841ac7 |
+ if (!sdap_sasl_mech_needs_kinit(plugin_name)) {
|
|
|
841ac7 |
return SASL_FAIL;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
if (strcmp(option, "ad_compat") != 0) {
|
|
|
841ac7 |
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
|
|
841ac7 |
index de22689ae..86724e388 100644
|
|
|
841ac7 |
--- a/src/providers/ldap/ldap_auth.c
|
|
|
841ac7 |
+++ b/src/providers/ldap/ldap_auth.c
|
|
|
841ac7 |
@@ -715,9 +715,9 @@ static struct tevent_req *auth_connect_send(struct tevent_req *req)
|
|
|
841ac7 |
* we don't need to authenticate the connection, because we're not
|
|
|
841ac7 |
* looking up any information using the connection. This might be
|
|
|
841ac7 |
* needed e.g. in case both ID and AUTH providers are set to LDAP
|
|
|
841ac7 |
- * and the server is AD, because otherwise the connection would
|
|
|
841ac7 |
- * both do a startTLS and later bind using GSSAPI which doesn't work
|
|
|
841ac7 |
- * well with AD.
|
|
|
841ac7 |
+ * and the server is AD, because otherwise the connection would both
|
|
|
841ac7 |
+ * do a startTLS and later bind using GSSAPI or GSS-SPNEGO which
|
|
|
841ac7 |
+ * doesn't work well with AD.
|
|
|
841ac7 |
*/
|
|
|
841ac7 |
skip_conn_auth = true;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
@@ -725,8 +725,8 @@ static struct tevent_req *auth_connect_send(struct tevent_req *req)
|
|
|
841ac7 |
if (skip_conn_auth == false) {
|
|
|
841ac7 |
sasl_mech = dp_opt_get_string(state->ctx->opts->basic,
|
|
|
841ac7 |
SDAP_SASL_MECH);
|
|
|
841ac7 |
- if (sasl_mech && strcasecmp(sasl_mech, "GSSAPI") == 0) {
|
|
|
841ac7 |
- /* Don't force TLS on if we're told to use GSSAPI */
|
|
|
841ac7 |
+ if (sasl_mech && sdap_sasl_mech_needs_kinit(sasl_mech)) {
|
|
|
841ac7 |
+ /* Don't force TLS on if we're told to use GSSAPI or GSS-SPNEGO */
|
|
|
841ac7 |
use_tls = false;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
}
|
|
|
841ac7 |
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
|
|
841ac7 |
index 6647241b4..04548a388 100644
|
|
|
841ac7 |
--- a/src/providers/ldap/ldap_common.h
|
|
|
841ac7 |
+++ b/src/providers/ldap/ldap_common.h
|
|
|
841ac7 |
@@ -65,7 +65,7 @@ struct sdap_id_ctx {
|
|
|
841ac7 |
struct be_ctx *be;
|
|
|
841ac7 |
struct sdap_options *opts;
|
|
|
841ac7 |
|
|
|
841ac7 |
- /* If using GSSAPI */
|
|
|
841ac7 |
+ /* If using GSSAPI or GSS-SPNEGO */
|
|
|
841ac7 |
struct krb5_service *krb5_service;
|
|
|
841ac7 |
/* connection to a server */
|
|
|
841ac7 |
struct sdap_id_conn_ctx *conn;
|
|
|
841ac7 |
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
|
|
|
841ac7 |
index 44b3e9ab3..352f0b656 100644
|
|
|
841ac7 |
--- a/src/providers/ldap/ldap_init.c
|
|
|
841ac7 |
+++ b/src/providers/ldap/ldap_init.c
|
|
|
841ac7 |
@@ -365,7 +365,7 @@ static bool should_call_gssapi_init(struct sdap_options *opts)
|
|
|
841ac7 |
return false;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
- if (strcasecmp(sasl_mech, "GSSAPI") != 0) {
|
|
|
841ac7 |
+ if (!sdap_sasl_mech_needs_kinit(sasl_mech)) {
|
|
|
841ac7 |
return false;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
|
|
841ac7 |
index 5c9d0a45d..5591a6718 100644
|
|
|
841ac7 |
--- a/src/providers/ldap/sdap.c
|
|
|
841ac7 |
+++ b/src/providers/ldap/sdap.c
|
|
|
841ac7 |
@@ -904,6 +904,15 @@ errno_t setup_tls_config(struct dp_option *basic_opts)
|
|
|
841ac7 |
return EOK;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
+bool sdap_sasl_mech_needs_kinit(const char *sasl_mech)
|
|
|
841ac7 |
+{
|
|
|
841ac7 |
+ if (strcasecmp(sasl_mech, "GSSAPI") == 0
|
|
|
841ac7 |
+ || strcasecmp(sasl_mech, "GSS-SPNEGO") == 0) {
|
|
|
841ac7 |
+ return true;
|
|
|
841ac7 |
+ }
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+ return false;
|
|
|
841ac7 |
+}
|
|
|
841ac7 |
|
|
|
841ac7 |
bool sdap_check_sup_list(struct sup_list *l, const char *val)
|
|
|
841ac7 |
{
|
|
|
841ac7 |
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
|
|
841ac7 |
index 48061d389..dddcf5faf 100644
|
|
|
841ac7 |
--- a/src/providers/ldap/sdap.h
|
|
|
841ac7 |
+++ b/src/providers/ldap/sdap.h
|
|
|
841ac7 |
@@ -619,6 +619,8 @@ bool sdap_check_sup_list(struct sup_list *l, const char *val);
|
|
|
841ac7 |
#define sdap_is_extension_supported(sh, ext_oid) \
|
|
|
841ac7 |
sdap_check_sup_list(&((sh)->supported_extensions), ext_oid)
|
|
|
841ac7 |
|
|
|
841ac7 |
+bool sdap_sasl_mech_needs_kinit(const char *mech);
|
|
|
841ac7 |
+
|
|
|
841ac7 |
int build_attrs_from_map(TALLOC_CTX *memctx,
|
|
|
841ac7 |
struct sdap_attr_map *map,
|
|
|
841ac7 |
size_t size,
|
|
|
841ac7 |
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
|
|
|
841ac7 |
index 8aacd6705..6bc271a91 100644
|
|
|
841ac7 |
--- a/src/providers/ldap/sdap_async_connection.c
|
|
|
841ac7 |
+++ b/src/providers/ldap/sdap_async_connection.c
|
|
|
841ac7 |
@@ -1605,14 +1605,14 @@ static void sdap_cli_connect_done(struct tevent_req *subreq)
|
|
|
841ac7 |
sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);
|
|
|
841ac7 |
|
|
|
841ac7 |
if (state->do_auth && sasl_mech && state->use_rootdse) {
|
|
|
841ac7 |
- /* check if server claims to support GSSAPI */
|
|
|
841ac7 |
+ /* check if server claims to support the configured SASL MECH */
|
|
|
841ac7 |
if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) {
|
|
|
841ac7 |
tevent_req_error(req, ENOTSUP);
|
|
|
841ac7 |
return;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
- if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
|
|
|
841ac7 |
+ if (state->do_auth && sasl_mech && sdap_sasl_mech_needs_kinit(sasl_mech)) {
|
|
|
841ac7 |
if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) {
|
|
|
841ac7 |
sdap_cli_kinit_step(req);
|
|
|
841ac7 |
return;
|
|
|
841ac7 |
@@ -1690,14 +1690,14 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq)
|
|
|
841ac7 |
sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);
|
|
|
841ac7 |
|
|
|
841ac7 |
if (state->do_auth && sasl_mech && state->rootdse) {
|
|
|
841ac7 |
- /* check if server claims to support GSSAPI */
|
|
|
841ac7 |
+ /* check if server claims to support the configured SASL MECH */
|
|
|
841ac7 |
if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) {
|
|
|
841ac7 |
tevent_req_error(req, ENOTSUP);
|
|
|
841ac7 |
return;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
- if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
|
|
|
841ac7 |
+ if (state->do_auth && sasl_mech && sdap_sasl_mech_needs_kinit(sasl_mech)) {
|
|
|
841ac7 |
if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) {
|
|
|
841ac7 |
sdap_cli_kinit_step(req);
|
|
|
841ac7 |
return;
|
|
|
841ac7 |
--
|
|
|
841ac7 |
2.20.1
|
|
|
841ac7 |
|