From 9b875b87fda7dab1c92022b5c2e3b11cd5fffa4f Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 27 Sep 2019 13:45:13 +0200

Subject: [PATCH 109/109] ad: set min and max ssf for ldaps

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

AD does not allow to use encryption in the TLS and SASL layer at the

same time. To be able to use ldaps this patch sets min and max ssf to 0

if ldaps should be used.

Related to https://pagure.io/SSSD/sssd/issue/4131

(cherry picked from commit 50a92f65c4823d272240ef416f2b05874b2b7918)

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

 src/providers/ad/ad_common.c     | 21 +++++++++++++++++++++

 src/providers/ad/ad_common.h     |  2 ++

 src/providers/ad/ad_subdomains.c |  4 ++++

 3 files changed, 27 insertions(+)

diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c

index de8a0c8bb..4e46da7f2 100644

--- a/src/providers/ad/ad_common.c

+++ b/src/providers/ad/ad_common.c

@@ -1008,6 +1008,23 @@ done:

     return;

 }

+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts)

+{

+    int ret;

+

+    DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n");

+    ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Failed to set SASL minssf for ldaps usage, ignored.\n");

+    }

+    ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Failed to set SASL maxssf for ldaps usage, ignored.\n");

+    }

+}

+

 static errno_t

 ad_set_sdap_options(struct ad_options *ad_opts,

                     struct sdap_options *id_opts)

@@ -1066,6 +1083,10 @@ ad_set_sdap_options(struct ad_options *ad_opts,

         goto done;

     }

+    if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) {

+        ad_set_ssf_for_ldaps(id_opts);

+    }

+

     /* Warn if the user is doing something silly like overriding the schema

      * with the AD provider

      */

diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h

index 54245b9f8..753394832 100644

--- a/src/providers/ad/ad_common.h

+++ b/src/providers/ad/ad_common.h

@@ -177,6 +177,8 @@ errno_t

 ad_get_dyndns_options(struct be_ctx *be_ctx,

                       struct ad_options *ad_opts);

+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts);

+

 struct ad_id_ctx *

 ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx);

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c

index bc10da5bc..f94936102 100644

--- a/src/providers/ad/ad_subdomains.c

+++ b/src/providers/ad/ad_subdomains.c

@@ -328,6 +328,10 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,

         return ret;

     }

+    if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) {

+        ad_set_ssf_for_ldaps(ad_options->id);

+    }

+

     ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,

                                     ad_options->id->basic,

                                     be_ctx->cdb, subdom_conf_path,

-- 

2.20.1