summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2011-02-11 13:10:27 -0500
committerStephen Gallagher <sgallagh@redhat.com>2011-02-16 09:38:22 -0500
commitcc2b267e14db7073e7247b52cc9d82dfdf280076 (patch)
treecfe72d47f838ccfee0b7dba2dd15d506ec2ec1f4
parenta1294c95a4f9f37bbe9a8635defa3a45e59213ab (diff)
downloadsssd-cc2b267e14db7073e7247b52cc9d82dfdf280076.tar.gz
sssd-cc2b267e14db7073e7247b52cc9d82dfdf280076.tar.xz
sssd-cc2b267e14db7073e7247b52cc9d82dfdf280076.zip
Do not attempt to use START_TLS on SSL connections
Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795
-rw-r--r--src/providers/ldap/ldap_auth.c26
-rw-r--r--src/providers/ldap/ldap_common.c9
-rw-r--r--src/providers/ldap/ldap_common.h7
-rw-r--r--src/providers/ldap/sdap_async_connection.c12
4 files changed, 43 insertions, 11 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index f4bbabf6b..e45d5b3ed 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -547,15 +547,23 @@ static void auth_resolve_done(struct tevent_req *subreq)
return;
}
- /* Check for undocumented debugging feature to disable TLS
- * for authentication. This should never be used in production
- * for obvious reasons.
- */
- use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
- if (!use_tls) {
- sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
- "insecure connection. This should be done "
- "for debugging purposes only.");
+ /* Determine whether we need to use TLS */
+ if (sdap_is_secure_uri(state->ctx->service->uri)) {
+ DEBUG(8, ("[%s] is a secure channel. No need to run START_TLS\n",
+ state->ctx->service->uri));
+ use_tls = false;
+ } else {
+
+ /* Check for undocumented debugging feature to disable TLS
+ * for authentication. This should never be used in production
+ * for obvious reasons.
+ */
+ use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
+ if (!use_tls) {
+ sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
+ "insecure connection. This should be done "
+ "for debugging purposes only.");
+ }
}
subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index f2ea16aec..ce6d41d58 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -993,3 +993,12 @@ done:
talloc_free(tmp_ctx);
return ret;
}
+
+bool sdap_is_secure_uri(const char *uri)
+{
+ /* LDAPS URI's are secure channels */
+ if (strncasecmp(uri, LDAP_SSL_URI, strlen(LDAP_SSL_URI)) == 0) {
+ return true;
+ }
+ return false;
+}
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 3cbf3f600..9146da5a9 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -34,6 +34,10 @@
#define SSS_LDAP_SRV_NAME "ldap"
+#define LDAP_STANDARD_URI "ldap://"
+#define LDAP_SSL_URI "ldaps://"
+#define LDAP_LDAPI_URI "ldapi://"
+
/* a fd the child process would log into */
extern int ldap_child_debug_fd;
@@ -155,4 +159,7 @@ errno_t list_missing_attrs(TALLOC_CTX *mem_ctx,
const char **expected_attrs,
struct sysdb_attrs *recvd_attrs,
char ***missing_attrs);
+
+bool sdap_is_secure_uri(const char *uri);
+
#endif /* _LDAP_COMMON_H_ */
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index ff8fb0d81..d2eadfa6a 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -24,6 +24,7 @@
#include "util/util.h"
#include "util/sss_krb5.h"
#include "providers/ldap/sdap_async_private.h"
+#include "providers/ldap/ldap_common.h"
#define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D
@@ -1123,6 +1124,8 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq)
struct sdap_cli_connect_state *state = tevent_req_data(req,
struct sdap_cli_connect_state);
int ret;
+ bool use_tls = dp_opt_get_bool(state->opts->basic,
+ SDAP_ID_TLS);
ret = be_resolve_server_recv(subreq, &state->srv);
talloc_zfree(subreq);
@@ -1134,10 +1137,15 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq)
return;
}
+ if (use_tls && sdap_is_secure_uri(state->service->uri)) {
+ DEBUG(8, ("[%s] is a secure channel. No need to run START_TLS\n",
+ state->service->uri));
+ use_tls = false;
+ }
+
subreq = sdap_connect_send(state, state->ev, state->opts,
state->service->uri,
- dp_opt_get_bool(state->opts->basic,
- SDAP_ID_TLS));
+ use_tls);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;