diff options
Diffstat (limited to 'server')
-rw-r--r-- | server/man/sssd-ldap.5.xml | 43 | ||||
-rw-r--r-- | server/providers/ldap/ldap_auth.c | 37 | ||||
-rw-r--r-- | server/providers/ldap/ldap_id.c | 38 | ||||
-rw-r--r-- | server/providers/ldap/sdap.c | 60 | ||||
-rw-r--r-- | server/providers/ldap/sdap.h | 4 |
5 files changed, 115 insertions, 67 deletions
diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml index 4c7e07b6e..b5efb11d0 100644 --- a/server/man/sssd-ldap.5.xml +++ b/server/man/sssd-ldap.5.xml @@ -35,6 +35,13 @@ <para> There can be more than one LDAP domain configured with SSSD. </para> + <para> + If you want to authenticate against an LDAP server TLS/SSL is + required. <command>sssd</command> <emphasis>does not</emphasis> + support authentication over an unencrypted channel. If the LDAP + server is used only as an identify provider, an encrypted channel + is not needed. + </para> </refsect1> <refsect1 id='file-format'> @@ -439,6 +446,42 @@ <emphasis>hard</emphasis> = Same as <quote>demand</quote> </para> + <para> + Default: hard + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_tls_cacert (string)</term> + <listitem> + <para> + Specifies the file that contains certificates for + all of the Certificate Authorities + <command>sssd</command> will recognize. + </para> + <para> + Default: use OpenLDAP defaults, typically in + /etc/openldap/ldap.conf + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_tls_cacertdir (string)</term> + <listitem> + <para> + Specifies the path of a directory that contains + Certificate Authority certificates in separate + individual files. Typically the file names need to + be the hash of the certificate followed by '.0'. + If available <command>cacertdir_rehash</command> + can be used to create the correct names. + </para> + <para> + Default: use OpenLDAP defaults, typically in + /etc/openldap/ldap.conf + </para> </listitem> </varlistentry> diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c index a64a27f7d..430ac216b 100644 --- a/server/providers/ldap/ldap_auth.c +++ b/server/providers/ldap/ldap_auth.c @@ -629,9 +629,7 @@ int sssm_ldap_auth_init(struct be_ctx *bectx, struct bet_ops **ops, void **pvt_data) { - int ldap_opt_x_tls_require_cert; struct sdap_auth_ctx *ctx; - char *tls_reqcert; int ret; ctx = talloc(bectx, struct sdap_auth_ctx); @@ -643,37 +641,10 @@ int sssm_ldap_auth_init(struct be_ctx *bectx, &ctx->opts); if (ret != EOK) goto done; - tls_reqcert = sdap_go_get_string(ctx->opts->basic, SDAP_TLS_REQCERT); - if (tls_reqcert) { - if (strcasecmp(tls_reqcert, "never") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_NEVER; - } - else if (strcasecmp(tls_reqcert, "allow") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_ALLOW; - } - else if (strcasecmp(tls_reqcert, "try") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_TRY; - } - else if (strcasecmp(tls_reqcert, "demand") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; - } - else if (strcasecmp(tls_reqcert, "hard") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD; - } - else { - DEBUG(1, ("Unknown value for tls_reqcert.\n")); - ret = EINVAL; - goto done; - } - /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option, - * because the SSL/TLS context is initialized from this value. */ - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, - &ldap_opt_x_tls_require_cert); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); - ret = EIO; - goto done; - } + ret = setup_tls_config(ctx->opts->basic); + if (ret != EOK) { + DEBUG(1, ("setup_tls_config failed [%d][%s].\n", ret, strerror(ret))); + goto done; } *ops = &sdap_auth_ops; diff --git a/server/providers/ldap/ldap_id.c b/server/providers/ldap/ldap_id.c index 4a06298f8..12fb476b0 100644 --- a/server/providers/ldap/ldap_id.c +++ b/server/providers/ldap/ldap_id.c @@ -1301,10 +1301,8 @@ int sssm_ldap_init(struct be_ctx *bectx, struct bet_ops **ops, void **pvt_data) { - int ldap_opt_x_tls_require_cert; struct tevent_timer *enum_task; struct sdap_id_ctx *ctx; - char *tls_reqcert; int ret; ctx = talloc_zero(bectx, struct sdap_id_ctx); @@ -1313,38 +1311,12 @@ int sssm_ldap_init(struct be_ctx *bectx, ctx->be = bectx; ret = sdap_get_options(ctx, bectx->cdb, bectx->conf_path, &ctx->opts); + if (ret != EOK) goto done; - tls_reqcert = sdap_go_get_string(ctx->opts->basic, SDAP_TLS_REQCERT); - if (tls_reqcert) { - if (strcasecmp(tls_reqcert, "never") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_NEVER; - } - else if (strcasecmp(tls_reqcert, "allow") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_ALLOW; - } - else if (strcasecmp(tls_reqcert, "try") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_TRY; - } - else if (strcasecmp(tls_reqcert, "demand") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; - } - else if (strcasecmp(tls_reqcert, "hard") == 0) { - ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD; - } - else { - DEBUG(1, ("Unknown value for tls_reqcert.\n")); - ret = EINVAL; - goto done; - } - /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option, - * because the SSL/TLS context is initialized from this value. */ - ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, - &ldap_opt_x_tls_require_cert); - if (ret != LDAP_OPT_SUCCESS) { - DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); - ret = EIO; - goto done; - } + ret = setup_tls_config(ctx->opts->basic); + if (ret != EOK) { + DEBUG(1, ("setup_tls_config failed [%d][%s].\n", ret, strerror(ret))); + goto done; } /* set up enumeration task */ diff --git a/server/providers/ldap/sdap.c b/server/providers/ldap/sdap.c index eded6eed1..07e48c18c 100644 --- a/server/providers/ldap/sdap.c +++ b/server/providers/ldap/sdap.c @@ -49,7 +49,9 @@ struct sdap_gen_opts default_basic_opts[] = { { "ldap_offline_timeout", SDAP_NUMBER, { .number = 60 }, NULL_NUMBER }, { "ldap_force_upper_case_realm", SDAP_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_enumeration_refresh_timeout", SDAP_NUMBER, { .number = 300 }, NULL_NUMBER }, - { "ldap_stale_time", SDAP_NUMBER, { .number = 1800 }, NULL_NUMBER } + { "ldap_stale_time", SDAP_NUMBER, { .number = 1800 }, NULL_NUMBER }, + { "ldap_tls_cacert", SDAP_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cacertdir", SDAP_STRING, NULL_STRING, NULL_STRING } }; struct sdap_id_map rfc2307_user_map[] = { @@ -543,3 +545,59 @@ int sdap_get_msg_dn(TALLOC_CTX *memctx, struct sdap_handle *sh, return EOK; } +errno_t setup_tls_config(struct sdap_gen_opts *basic_opts) +{ + int ret; + int ldap_opt_x_tls_require_cert; + const char *tls_opt; + tls_opt = sdap_go_get_string(basic_opts, SDAP_TLS_REQCERT); + if (tls_opt) { + if (strcasecmp(tls_opt, "never") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_NEVER; + } + else if (strcasecmp(tls_opt, "allow") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_ALLOW; + } + else if (strcasecmp(tls_opt, "try") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_TRY; + } + else if (strcasecmp(tls_opt, "demand") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; + } + else if (strcasecmp(tls_opt, "hard") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD; + } + else { + DEBUG(1, ("Unknown value for tls_reqcert.\n")); + return EINVAL; + } + /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option, + * because the SSL/TLS context is initialized from this value. */ + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, + &ldap_opt_x_tls_require_cert); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); + return EIO; + } + } + + tls_opt = sdap_go_get_string(basic_opts, SDAP_TLS_CACERT); + if (tls_opt) { + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); + return EIO; + } + } + + tls_opt = sdap_go_get_string(basic_opts, SDAP_TLS_CACERTDIR); + if (tls_opt) { + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); + return EIO; + } + } + + return EOK; +} diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h index 7168a5a00..8a932d3d4 100644 --- a/server/providers/ldap/sdap.h +++ b/server/providers/ldap/sdap.h @@ -88,6 +88,8 @@ enum sdap_basic_opt { SDAP_FORCE_UPPER_CASE_REALM, SDAP_ENUM_REFRESH_TIMEOUT, SDAP_STALE_TIME, + SDAP_TLS_CACERT, + SDAP_TLS_CACERTDIR, SDAP_OPTS_BASIC /* opts counter */ }; @@ -207,3 +209,5 @@ int sdap_parse_group(TALLOC_CTX *memctx, struct sdap_options *opts, int sdap_get_msg_dn(TALLOC_CTX *memctx, struct sdap_handle *sh, struct sdap_msg *sm, char **_dn); + +errno_t setup_tls_config(struct sdap_gen_opts *basic_opts); |