From 6ec9dde85ced5e53256b417b7f2040e5464d2a62 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 11 Feb 2011 13:10:27 -0500
Subject: Do not attempt to use START_TLS on SSL connections

Not all LDAP servers are capable of handling dual-encryption with
both TLS and SSL.

https://fedorahosted.org/sssd/ticket/795
---
 src/providers/ldap/ldap_auth.c             | 26 +++++++++++++++++---------
 src/providers/ldap/ldap_common.c           |  9 +++++++++
 src/providers/ldap/ldap_common.h           |  7 +++++++
 src/providers/ldap/sdap_async_connection.c | 12 ++++++++++--
 4 files changed, 43 insertions(+), 11 deletions(-)

diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index f4bbabf6b..e45d5b3ed 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -547,15 +547,23 @@ static void auth_resolve_done(struct tevent_req *subreq)
         return;
     }
 
-    /* Check for undocumented debugging feature to disable TLS
-     * for authentication. This should never be used in production
-     * for obvious reasons.
-     */
-    use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
-    if (!use_tls) {
-        sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
-                               "insecure connection. This should be done "
-                               "for debugging purposes only.");
+    /* Determine whether we need to use TLS */
+    if (sdap_is_secure_uri(state->ctx->service->uri)) {
+        DEBUG(8, ("[%s] is a secure channel. No need to run START_TLS\n",
+                  state->ctx->service->uri));
+        use_tls = false;
+    } else {
+
+        /* Check for undocumented debugging feature to disable TLS
+         * for authentication. This should never be used in production
+         * for obvious reasons.
+         */
+        use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
+        if (!use_tls) {
+            sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
+                                   "insecure connection. This should be done "
+                                   "for debugging purposes only.");
+        }
     }
 
     subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index f2ea16aec..ce6d41d58 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -993,3 +993,12 @@ done:
     talloc_free(tmp_ctx);
     return ret;
 }
+
+bool sdap_is_secure_uri(const char *uri)
+{
+    /* LDAPS URI's are secure channels */
+    if (strncasecmp(uri, LDAP_SSL_URI, strlen(LDAP_SSL_URI)) == 0) {
+        return true;
+    }
+    return false;
+}
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 3cbf3f600..9146da5a9 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -34,6 +34,10 @@
 
 #define SSS_LDAP_SRV_NAME "ldap"
 
+#define LDAP_STANDARD_URI "ldap://"
+#define LDAP_SSL_URI "ldaps://"
+#define LDAP_LDAPI_URI "ldapi://"
+
 /* a fd the child process would log into */
 extern int ldap_child_debug_fd;
 
@@ -155,4 +159,7 @@ errno_t list_missing_attrs(TALLOC_CTX *mem_ctx,
                            const char **expected_attrs,
                            struct sysdb_attrs *recvd_attrs,
                            char ***missing_attrs);
+
+bool sdap_is_secure_uri(const char *uri);
+
 #endif /* _LDAP_COMMON_H_ */
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index ff8fb0d81..d2eadfa6a 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -24,6 +24,7 @@
 #include "util/util.h"
 #include "util/sss_krb5.h"
 #include "providers/ldap/sdap_async_private.h"
+#include "providers/ldap/ldap_common.h"
 
 #define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D
 
@@ -1123,6 +1124,8 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq)
     struct sdap_cli_connect_state *state = tevent_req_data(req,
                                              struct sdap_cli_connect_state);
     int ret;
+    bool use_tls = dp_opt_get_bool(state->opts->basic,
+                                   SDAP_ID_TLS);
 
     ret = be_resolve_server_recv(subreq, &state->srv);
     talloc_zfree(subreq);
@@ -1134,10 +1137,15 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq)
         return;
     }
 
+    if (use_tls && sdap_is_secure_uri(state->service->uri)) {
+        DEBUG(8, ("[%s] is a secure channel. No need to run START_TLS\n",
+                  state->service->uri));
+        use_tls = false;
+    }
+
     subreq = sdap_connect_send(state, state->ev, state->opts,
                                state->service->uri,
-                               dp_opt_get_bool(state->opts->basic,
-                                               SDAP_ID_TLS));
+                               use_tls);
     if (!subreq) {
         tevent_req_error(req, ENOMEM);
         return;
-- 
cgit