diff options
-rw-r--r-- | src/config/SSSDConfig.py | 3 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 3 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ldap.conf | 3 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 41 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 3 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.c | 3 | ||||
-rw-r--r-- | src/providers/ldap/sdap.c | 27 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 3 |
9 files changed, 87 insertions, 1 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 98a5ddad..9c61f06f 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -127,6 +127,9 @@ option_strings = { 'ldap_force_upper_case_realm' : _('Use only the upper case for realm names'), 'ldap_tls_cacert' : _('File that contains CA certificates'), 'ldap_tls_cacertdir' : _('Path to CA certificate directory'), + 'ldap_tls_cert' : _('File that contains the client certificate'), + 'ldap_tls_key' :_('File that contains the client key'), + 'ldap_tls_cipher_suite' :_('List of possible ciphers suites'), 'ldap_tls_reqcert' : _('Require TLS certificate verification'), 'ldap_sasl_mech' : _('Specify the sasl mechanism to use'), 'ldap_sasl_authid' : _('Specify the sasl authorization id to use'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 1b4427ab..31b7dc9b 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -16,6 +16,9 @@ ldap_opt_timeout = int, None, false ldap_offline_timeout = int, None, false ldap_tls_cacert = str, None, false ldap_tls_cacertdir = str, None, false +ldap_tls_cert = str, None, false +ldap_tls_key = str, None, false +ldap_tls_cipher_suite = str, None, false ldap_tls_reqcert = str, None, false ldap_sasl_mech = str, None, false ldap_sasl_authid = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 440ebff8..0e1b2ca5 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -10,6 +10,9 @@ ldap_opt_timeout = int, None, false ldap_offline_timeout = int, None, false ldap_tls_cacert = str, None, false ldap_tls_cacertdir = str, None, false +ldap_tls_cert = str, None, false +ldap_tls_key = str, None, false +ldap_tls_cipher_suite = str, None, false ldap_tls_reqcert = str, None, false ldap_sasl_mech = str, None, false ldap_sasl_authid = str, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index b133b3bc..58665eb4 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -910,6 +910,47 @@ </varlistentry> <varlistentry> + <term>ldap_tls_cert (string)</term> + <listitem> + <para> + Specifies the file that contains the certificate + for the client's key. + </para> + <para> + Default: not set + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_tls_key (string)</term> + <listitem> + <para> + Specifies the file that contains the client's key. + </para> + <para> + Default: not set + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_tls_cipher_suite (string)</term> + <listitem> + <para> + Specifies acceptable cipher suites. Typically this + is a colon sperated list. See + <citerefentry><refentrytitle>ldap.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> for format. + </para> + <para> + Default: use OpenLDAP defaults, typically in + <filename>/etc/openldap/ldap.conf</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ldap_id_use_start_tls (boolean)</term> <listitem> <para> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 407b9ef5..b3467c60 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -62,6 +62,9 @@ struct dp_option ipa_def_ldap_opts[] = { { "entry_cache_timeout", DP_OPT_NUMBER, { .number = 1800 }, NULL_NUMBER }, { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_mech", DP_OPT_STRING, { "GSSAPI" } , NULL_STRING }, { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 294e84fa..39fe31dc 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 44 +#define IPA_OPTS_BASIC_TEST 47 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 48c35638..e669ba6c 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -57,6 +57,9 @@ struct dp_option default_basic_opts[] = { { "entry_cache_timeout", DP_OPT_NUMBER, { .number = 5400 }, NULL_NUMBER }, { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index 573de178..ea2eabe7 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -350,6 +350,33 @@ errno_t setup_tls_config(struct dp_option *basic_opts) } } + tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CERT); + if (tls_opt) { + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); + return EIO; + } + } + + tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_KEY); + if (tls_opt) { + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); + return EIO; + } + } + + tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CIPHER_SUITE); + if (tls_opt) { + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); + return EIO; + } + } + return EOK; } diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 932abca4..e053210a 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -176,6 +176,9 @@ enum sdap_basic_opt { SDAP_ENTRY_CACHE_TIMEOUT, SDAP_TLS_CACERT, SDAP_TLS_CACERTDIR, + SDAP_TLS_CERT, + SDAP_TLS_KEY, + SDAP_TLS_CIPHER_SUITE, SDAP_ID_TLS, SDAP_SASL_MECH, SDAP_SASL_AUTHID, |