summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins/ldap2.py
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-12-06 17:36:15 -0500
committerRob Crittenden <rcritten@redhat.com>2012-02-05 19:01:34 -0500
commite6cdcad8df8712a5f452a74a3f3186146ef1e04b (patch)
treededd9081a991e8149a78e734cadda804f159c39c /ipaserver/plugins/ldap2.py
parent01929015e04688be073e129e47d789bb91186bac (diff)
downloadfreeipa-e6cdcad8df8712a5f452a74a3f3186146ef1e04b.tar.gz
freeipa-e6cdcad8df8712a5f452a74a3f3186146ef1e04b.tar.xz
freeipa-e6cdcad8df8712a5f452a74a3f3186146ef1e04b.zip
Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf.
This ensures a correct configuration in case a user has created their own openldap config file and set SASL_SECPROPS to something bad. Note that this doesn't modify the 389-ds setting which by default is 0. https://fedorahosted.org/freeipa/ticket/2021
Diffstat (limited to 'ipaserver/plugins/ldap2.py')
-rw-r--r--ipaserver/plugins/ldap2.py9
1 files changed, 9 insertions, 0 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index dbe6084f0..6ed21217a 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -450,6 +450,15 @@ class ldap2(CrudBackend, Encoder):
conn = _ldap.initialize(self.ldap_uri)
if self.ldap_uri.startswith('ldapi://') and ccache:
conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
+ minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN)
+ maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX)
+ # Always connect with at least an SSF of 56, confidentiality
+ # This also protects us from a broken ldap.conf
+ if minssf < 56:
+ minssf = 56
+ conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf)
+ if maxssf < minssf:
+ conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
if ccache is not None:
os.environ['KRB5CCNAME'] = ccache
conn.sasl_interactive_bind_s('', SASL_AUTH)
generated by cgit (git 2.34.1) at 2024-05-09 06:06:31 +0000