diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2011-02-16 07:38:16 -0500 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-02-16 09:38:45 -0500 |
commit | 16ccfd09e6120ab5e104fa2a6762511d398b4e93 (patch) | |
tree | 20d3dbe9374163e08bfd84669b2877a585baf7cb | |
parent | 0acfbe57146fc4e8da671e79a5881fc0eba44daf (diff) | |
download | sssd2-16ccfd09e6120ab5e104fa2a6762511d398b4e93.tar.gz sssd2-16ccfd09e6120ab5e104fa2a6762511d398b4e93.tar.xz sssd2-16ccfd09e6120ab5e104fa2a6762511d398b4e93.zip |
Do not attempt to use START_TLS on SSL connections
Not all LDAP servers are capable of handling dual-encryption with
both TLS and SSL.
https://fedorahosted.org/sssd/ticket/795
-rw-r--r-- | src/providers/ldap/ldap_auth.c | 10 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.c | 10 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.h | 7 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 12 |
4 files changed, 36 insertions, 3 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index 1a959d4c..ef466b25 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -607,6 +607,7 @@ static void auth_resolve_done(struct tevent_req *subreq) struct auth_state *state = tevent_req_data(req, struct auth_state); int ret; + bool use_tls = true; ret = be_resolve_server_recv(subreq, &state->srv); talloc_zfree(subreq); @@ -617,8 +618,15 @@ static void auth_resolve_done(struct tevent_req *subreq) return; } + /* Determine whether we need to use TLS */ + if (sdap_is_secure_uri(state->ctx->service->uri)) { + DEBUG(8, ("[%s] is a secure channel. No need to run START_TLS\n", + state->ctx->service->uri)); + use_tls = false; + } + subreq = sdap_connect_send(state, state->ev, state->ctx->opts, - state->ctx->service->uri, true); + state->ctx->service->uri, use_tls); if (!subreq) { tevent_req_error(req, ENOMEM); return; diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index b99291c9..4ee1e059 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -701,3 +701,13 @@ void sdap_gsh_disconnect_callback(void *pvt) ctx->gsh->connected = false; } } + +bool sdap_is_secure_uri(const char *uri) +{ + /* LDAPS and LDAPI URI's are secure channels */ + if ((strncasecmp(uri, LDAP_SSL_URI, strlen(LDAP_SSL_URI)) == 0) || + (strncasecmp(uri, LDAP_LDAPI_URI, strlen(LDAP_LDAPI_URI)) == 0)) { + return true; + } + return false; +} diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index 1ee7378c..3a756b2f 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -32,6 +32,10 @@ #define SSS_LDAP_SRV_NAME "ldap" +#define LDAP_STANDARD_URI "ldap://" +#define LDAP_SSL_URI "ldaps://" +#define LDAP_LDAPI_URI "ldapi://" + /* a fd the child process would log into */ extern int ldap_child_debug_fd; @@ -118,4 +122,7 @@ int groups_get_recv(struct tevent_req *req); int setup_child(struct sdap_id_ctx *ctx); void sdap_gsh_disconnect_callback(void *pvt); + +bool sdap_is_secure_uri(const char *uri); + #endif /* _LDAP_COMMON_H_ */ diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 69baf1a3..bcf06e86 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -24,6 +24,7 @@ #include "util/util.h" #include "util/sss_krb5.h" #include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/ldap_common.h" #define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D @@ -938,6 +939,8 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq) struct sdap_cli_connect_state *state = tevent_req_data(req, struct sdap_cli_connect_state); int ret; + bool use_tls = dp_opt_get_bool(state->opts->basic, + SDAP_ID_TLS); ret = be_resolve_server_recv(subreq, &state->srv); talloc_zfree(subreq); @@ -948,10 +951,15 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq) return; } + if (use_tls && sdap_is_secure_uri(state->service->uri)) { + DEBUG(8, ("[%s] is a secure channel. No need to run START_TLS\n", + state->service->uri)); + use_tls = false; + } + subreq = sdap_connect_send(state, state->ev, state->opts, state->service->uri, - dp_opt_get_bool(state->opts->basic, - SDAP_ID_TLS)); + use_tls); if (!subreq) { tevent_req_error(req, ENOMEM); return; |