Do not attempt to use START_TLS on SSL connections

Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795
author: Stephen Gallagher <sgallagh@redhat.com> 2011-02-16 07:38:16 -0500
committer: Stephen Gallagher <sgallagh@redhat.com> 2011-02-16 09:38:45 -0500
commit: 16ccfd09e6120ab5e104fa2a6762511d398b4e93 (patch)
tree: 20d3dbe9374163e08bfd84669b2877a585baf7cb
parent: 0acfbe57146fc4e8da671e79a5881fc0eba44daf (diff)
download: sssd2-16ccfd09e6120ab5e104fa2a6762511d398b4e93.tar.gz
sssd2-16ccfd09e6120ab5e104fa2a6762511d398b4e93.tar.xz
sssd2-16ccfd09e6120ab5e104fa2a6762511d398b4e93.zip
4 files changed, 36 insertions, 3 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 1a959d4c..ef466b25 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -607,6 +607,7 @@ static void auth_resolve_done(struct tevent_req *subreq)
     struct auth_state *state = tevent_req_data(req,
                                                     struct auth_state);
     int ret;
+    bool use_tls = true;
 
     ret = be_resolve_server_recv(subreq, &state->srv);
     talloc_zfree(subreq);
@@ -617,8 +618,15 @@ static void auth_resolve_done(struct tevent_req *subreq)
         return;
     }
 
+    /* Determine whether we need to use TLS */
+    if (sdap_is_secure_uri(state->ctx->service->uri)) {
+        DEBUG(8, ("[%s] is a secure channel. No need to run START_TLS\n",
+                  state->ctx->service->uri));
+        use_tls = false;
+    }
+
     subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
-                               state->ctx->service->uri, true);
+                               state->ctx->service->uri, use_tls);
     if (!subreq) {
         tevent_req_error(req, ENOMEM);
         return;
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index b99291c9..4ee1e059 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -701,3 +701,13 @@ void sdap_gsh_disconnect_callback(void *pvt)
         ctx->gsh->connected = false;
     }
 }
+
+bool sdap_is_secure_uri(const char *uri)
+{
+    /* LDAPS and LDAPI URI's are secure channels */
+    if ((strncasecmp(uri, LDAP_SSL_URI, strlen(LDAP_SSL_URI)) == 0) ||
+        (strncasecmp(uri, LDAP_LDAPI_URI, strlen(LDAP_LDAPI_URI)) == 0)) {
+        return true;
+    }
+    return false;
+}
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 1ee7378c..3a756b2f 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -32,6 +32,10 @@
 
 #define SSS_LDAP_SRV_NAME "ldap"
 
+#define LDAP_STANDARD_URI "ldap://"
+#define LDAP_SSL_URI "ldaps://"
+#define LDAP_LDAPI_URI "ldapi://"
+
 /* a fd the child process would log into */
 extern int ldap_child_debug_fd;
 
@@ -118,4 +122,7 @@ int groups_get_recv(struct tevent_req *req);
 int setup_child(struct sdap_id_ctx *ctx);
 
 void sdap_gsh_disconnect_callback(void *pvt);
+
+bool sdap_is_secure_uri(const char *uri);
+
 #endif /* _LDAP_COMMON_H_ */
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 69baf1a3..bcf06e86 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -24,6 +24,7 @@
 #include "util/util.h"
 #include "util/sss_krb5.h"
 #include "providers/ldap/sdap_async_private.h"
+#include "providers/ldap/ldap_common.h"
 
 #define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D
 
@@ -938,6 +939,8 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq)
     struct sdap_cli_connect_state *state = tevent_req_data(req,
                                              struct sdap_cli_connect_state);
     int ret;
+    bool use_tls = dp_opt_get_bool(state->opts->basic,
+                                   SDAP_ID_TLS);
 
     ret = be_resolve_server_recv(subreq, &state->srv);
     talloc_zfree(subreq);
@@ -948,10 +951,15 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq)
         return;
     }
 
+    if (use_tls && sdap_is_secure_uri(state->service->uri)) {
+        DEBUG(8, ("[%s] is a secure channel. No need to run START_TLS\n",
+                  state->service->uri));
+        use_tls = false;
+    }
+
     subreq = sdap_connect_send(state, state->ev, state->opts,
                                state->service->uri,
-                               dp_opt_get_bool(state->opts->basic,
-                                               SDAP_ID_TLS));
+                               use_tls);
     if (!subreq) {
         tevent_req_error(req, ENOMEM);
         return;
author	Stephen Gallagher <sgallagh@redhat.com>	2011-02-16 07:38:16 -0500
committer	Stephen Gallagher <sgallagh@redhat.com>	2011-02-16 09:38:45 -0500
commit	16ccfd09e6120ab5e104fa2a6762511d398b4e93 (patch)
tree	20d3dbe9374163e08bfd84669b2877a585baf7cb
parent	0acfbe57146fc4e8da671e79a5881fc0eba44daf (diff)
download	sssd2-16ccfd09e6120ab5e104fa2a6762511d398b4e93.tar.gz sssd2-16ccfd09e6120ab5e104fa2a6762511d398b4e93.tar.xz sssd2-16ccfd09e6120ab5e104fa2a6762511d398b4e93.zip