diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-12-06 17:36:15 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-05 19:01:34 -0500 |
| commit | e6cdcad8df8712a5f452a74a3f3186146ef1e04b (patch) | |
| tree | dedd9081a991e8149a78e734cadda804f159c39c /ipaserver/plugins | |
| parent | 01929015e04688be073e129e47d789bb91186bac (diff) | |
| download | freeipa-e6cdcad8df8712a5f452a74a3f3186146ef1e04b.tar.gz freeipa-e6cdcad8df8712a5f452a74a3f3186146ef1e04b.tar.xz freeipa-e6cdcad8df8712a5f452a74a3f3186146ef1e04b.zip | |
Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf.
This ensures a correct configuration in case a user has created their
own openldap config file and set SASL_SECPROPS to something bad.
Note that this doesn't modify the 389-ds setting which by default is 0.
https://fedorahosted.org/freeipa/ticket/2021
Diffstat (limited to 'ipaserver/plugins')
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index dbe6084f..6ed21217 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -450,6 +450,15 @@ class ldap2(CrudBackend, Encoder): conn = _ldap.initialize(self.ldap_uri) if self.ldap_uri.startswith('ldapi://') and ccache: conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) + minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN) + maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX) + # Always connect with at least an SSF of 56, confidentiality + # This also protects us from a broken ldap.conf + if minssf < 56: + minssf = 56 + conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf) + if maxssf < minssf: + conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) if ccache is not None: os.environ['KRB5CCNAME'] = ccache conn.sasl_interactive_bind_s('', SASL_AUTH) |