summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2011-01-25 10:47:25 -0500
committerStephen Gallagher <sgallagh@redhat.com>2011-01-27 12:24:16 -0500
commita1af9beb915e96da634b7d17762bf42146104d45 (patch)
treecfef68f15b3b7c69a82538c63671c90f08e079c6 /src/providers
parentaa89df2040593f9120196ec440d2dc6d9f860d55 (diff)
downloadsssd-a1af9beb915e96da634b7d17762bf42146104d45.tar.gz
sssd-a1af9beb915e96da634b7d17762bf42146104d45.tar.xz
sssd-a1af9beb915e96da634b7d17762bf42146104d45.zip
Add option to disable TLS for LDAP authsssd-1_5_1
Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ipa/ipa_common.c6
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/ldap/ldap_auth.c14
-rw-r--r--src/providers/ldap/ldap_common.c6
-rw-r--r--src/providers/ldap/sdap.h1
5 files changed, 25 insertions, 4 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index b3467c606..401c19305 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -86,7 +86,11 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_access_order", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }
+ { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
+ /* Do not include ldap_auth_disable_tls_never_use_in_production in the
+ * manpages or SSSDConfig API
+ */
+ { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
};
struct sdap_attr_map ipa_attr_map[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 39fe31dc5..ed67a2c7b 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
/* the following defines are used to keep track of the options in the ldap
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 47
+#define IPA_OPTS_BASIC_TEST 48
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 853231b36..f4bbabf6b 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -536,6 +536,7 @@ static void auth_resolve_done(struct tevent_req *subreq)
struct auth_state *state = tevent_req_data(req,
struct auth_state);
int ret;
+ bool use_tls;
ret = be_resolve_server_recv(subreq, &state->srv);
talloc_zfree(subreq);
@@ -546,8 +547,19 @@ static void auth_resolve_done(struct tevent_req *subreq)
return;
}
+ /* Check for undocumented debugging feature to disable TLS
+ * for authentication. This should never be used in production
+ * for obvious reasons.
+ */
+ use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
+ if (!use_tls) {
+ sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
+ "insecure connection. This should be done "
+ "for debugging purposes only.");
+ }
+
subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
- state->sdap_service->uri, true);
+ state->sdap_service->uri, use_tls);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index f56d01f00..f2ea16aec 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -81,7 +81,11 @@ struct dp_option default_basic_opts[] = {
{ "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING },
{ "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }
+ { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
+ /* Do not include ldap_auth_disable_tls_never_use_in_production in the
+ * manpages or SSSDConfig API
+ */
+ { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
};
struct sdap_attr_map generic_attr_map[] = {
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index e053210af..31e72cd5b 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -200,6 +200,7 @@ enum sdap_basic_opt {
SDAP_CHPASS_URI,
SDAP_CHPASS_DNS_SERVICE_NAME,
SDAP_ENUM_SEARCH_TIMEOUT,
+ SDAP_DISABLE_AUTH_TLS,
SDAP_OPTS_BASIC /* opts counter */
};