diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2011-01-25 10:47:25 -0500 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-01-27 12:24:16 -0500 |
| commit | a1af9beb915e96da634b7d17762bf42146104d45 (patch) | |
| tree | cfef68f15b3b7c69a82538c63671c90f08e079c6 /src/providers/ldap | |
| parent | aa89df2040593f9120196ec440d2dc6d9f860d55 (diff) | |
| download | sssd-a1af9beb915e96da634b7d17762bf42146104d45.tar.gz sssd-a1af9beb915e96da634b7d17762bf42146104d45.tar.xz sssd-a1af9beb915e96da634b7d17762bf42146104d45.zip | |
Add option to disable TLS for LDAP auth
Option is named to discourage use in production environments and
is intentionally not listed in the SSSDConfig API.
Diffstat (limited to 'src/providers/ldap')
| -rw-r--r-- | src/providers/ldap/ldap_auth.c | 14 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_common.c | 6 | ||||
| -rw-r--r-- | src/providers/ldap/sdap.h | 1 |
3 files changed, 19 insertions, 2 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index 853231b36..f4bbabf6b 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -536,6 +536,7 @@ static void auth_resolve_done(struct tevent_req *subreq) struct auth_state *state = tevent_req_data(req, struct auth_state); int ret; + bool use_tls; ret = be_resolve_server_recv(subreq, &state->srv); talloc_zfree(subreq); @@ -546,8 +547,19 @@ static void auth_resolve_done(struct tevent_req *subreq) return; } + /* Check for undocumented debugging feature to disable TLS + * for authentication. This should never be used in production + * for obvious reasons. + */ + use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS); + if (!use_tls) { + sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over " + "insecure connection. This should be done " + "for debugging purposes only."); + } + subreq = sdap_connect_send(state, state->ev, state->ctx->opts, - state->sdap_service->uri, true); + state->sdap_service->uri, use_tls); if (!subreq) { tevent_req_error(req, ENOMEM); return; diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index f56d01f00..f2ea16aec 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -81,7 +81,11 @@ struct dp_option default_basic_opts[] = { { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING }, { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER } + { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, + /* Do not include ldap_auth_disable_tls_never_use_in_production in the + * manpages or SSSDConfig API + */ + { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } }; struct sdap_attr_map generic_attr_map[] = { diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index e053210af..31e72cd5b 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -200,6 +200,7 @@ enum sdap_basic_opt { SDAP_CHPASS_URI, SDAP_CHPASS_DNS_SERVICE_NAME, SDAP_ENUM_SEARCH_TIMEOUT, + SDAP_DISABLE_AUTH_TLS, SDAP_OPTS_BASIC /* opts counter */ }; |