summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/config/SSSDConfig.py3
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf3
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf3
-rw-r--r--src/man/sssd-ldap.5.xml41
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/ldap/ldap_common.c3
-rw-r--r--src/providers/ldap/sdap.c27
-rw-r--r--src/providers/ldap/sdap.h3
9 files changed, 87 insertions, 1 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 98a5ddad2..9c61f06f5 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -127,6 +127,9 @@ option_strings = {
'ldap_force_upper_case_realm' : _('Use only the upper case for realm names'),
'ldap_tls_cacert' : _('File that contains CA certificates'),
'ldap_tls_cacertdir' : _('Path to CA certificate directory'),
+ 'ldap_tls_cert' : _('File that contains the client certificate'),
+ 'ldap_tls_key' :_('File that contains the client key'),
+ 'ldap_tls_cipher_suite' :_('List of possible ciphers suites'),
'ldap_tls_reqcert' : _('Require TLS certificate verification'),
'ldap_sasl_mech' : _('Specify the sasl mechanism to use'),
'ldap_sasl_authid' : _('Specify the sasl authorization id to use'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 1b4427ab8..31b7dc9be 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -16,6 +16,9 @@ ldap_opt_timeout = int, None, false
ldap_offline_timeout = int, None, false
ldap_tls_cacert = str, None, false
ldap_tls_cacertdir = str, None, false
+ldap_tls_cert = str, None, false
+ldap_tls_key = str, None, false
+ldap_tls_cipher_suite = str, None, false
ldap_tls_reqcert = str, None, false
ldap_sasl_mech = str, None, false
ldap_sasl_authid = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 440ebff87..0e1b2ca55 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -10,6 +10,9 @@ ldap_opt_timeout = int, None, false
ldap_offline_timeout = int, None, false
ldap_tls_cacert = str, None, false
ldap_tls_cacertdir = str, None, false
+ldap_tls_cert = str, None, false
+ldap_tls_key = str, None, false
+ldap_tls_cipher_suite = str, None, false
ldap_tls_reqcert = str, None, false
ldap_sasl_mech = str, None, false
ldap_sasl_authid = str, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index b133b3bcc..58665eb4e 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -910,6 +910,47 @@
</varlistentry>
<varlistentry>
+ <term>ldap_tls_cert (string)</term>
+ <listitem>
+ <para>
+ Specifies the file that contains the certificate
+ for the client's key.
+ </para>
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_tls_key (string)</term>
+ <listitem>
+ <para>
+ Specifies the file that contains the client's key.
+ </para>
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_tls_cipher_suite (string)</term>
+ <listitem>
+ <para>
+ Specifies acceptable cipher suites. Typically this
+ is a colon sperated list. See
+ <citerefentry><refentrytitle>ldap.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry> for format.
+ </para>
+ <para>
+ Default: use OpenLDAP defaults, typically in
+ <filename>/etc/openldap/ldap.conf</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_id_use_start_tls (boolean)</term>
<listitem>
<para>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 407b9ef53..b3467c606 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -62,6 +62,9 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "entry_cache_timeout", DP_OPT_NUMBER, { .number = 1800 }, NULL_NUMBER },
{ "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_sasl_mech", DP_OPT_STRING, { "GSSAPI" } , NULL_STRING },
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 294e84fa5..39fe31dc5 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
/* the following defines are used to keep track of the options in the ldap
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 44
+#define IPA_OPTS_BASIC_TEST 47
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 48c35638b..e669ba6c7 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -57,6 +57,9 @@ struct dp_option default_basic_opts[] = {
{ "entry_cache_timeout", DP_OPT_NUMBER, { .number = 5400 }, NULL_NUMBER },
{ "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 573de1787..ea2eabe78 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -350,6 +350,33 @@ errno_t setup_tls_config(struct dp_option *basic_opts)
}
}
+ tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CERT);
+ if (tls_opt) {
+ ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, tls_opt);
+ if (ret != LDAP_OPT_SUCCESS) {
+ DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
+ return EIO;
+ }
+ }
+
+ tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_KEY);
+ if (tls_opt) {
+ ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, tls_opt);
+ if (ret != LDAP_OPT_SUCCESS) {
+ DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
+ return EIO;
+ }
+ }
+
+ tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CIPHER_SUITE);
+ if (tls_opt) {
+ ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, tls_opt);
+ if (ret != LDAP_OPT_SUCCESS) {
+ DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
+ return EIO;
+ }
+ }
+
return EOK;
}
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 932abca4d..e053210af 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -176,6 +176,9 @@ enum sdap_basic_opt {
SDAP_ENTRY_CACHE_TIMEOUT,
SDAP_TLS_CACERT,
SDAP_TLS_CACERTDIR,
+ SDAP_TLS_CERT,
+ SDAP_TLS_KEY,
+ SDAP_TLS_CIPHER_SUITE,
SDAP_ID_TLS,
SDAP_SASL_MECH,
SDAP_SASL_AUTHID,