[SSSD] [PATCH] Add option to disable TLS for LDAP auth

Stephen Gallagher
Tue, 25 Jan 2011 07:57:50 -0800


Multiple users have requested (arguably demanded) this feature for
"debugging" purposes. We've resisted it for a long time, but after a
certain point, once people yell often enough, it's probably worth it to
listen.

The option added by this patch is intentionally left out of the manpage
and the SSSDConfig API, as a means to strongly discourage its use.

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0+8u4ACgkQeiVVYja6o6M1rwCdH9Gzi66lBzItaKFtGiLZFyIN
I3cAmgKzw1fUPUR8ckZfRl8+svO8NR3F
=d0sd
-----END PGP SIGNATURE-----

From 93191806d5844abc8531f3ebd6e7a5ea5145551a Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgall...@redhat.com>
Date: Tue, 25 Jan 2011 10:47:25 -0500
Subject: [PATCH] Add option to disable TLS for LDAP auth

Option is named to discourage use in production environments and
is intentionally not listed in the SSSDConfig API.
---
 src/providers/ipa/ipa_common.c   |    6 +++++-
 src/providers/ipa/ipa_common.h   |    2 +-
 src/providers/ldap/ldap_auth.c   |    9 ++++++++-
 src/providers/ldap/ldap_common.c |    6 +++++-
 src/providers/ldap/sdap.h        |    1 +
 5 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index b3467c606c61d262b86c92f571e1cc29ac7aa6af..401c19305353afb0a91e55dd9b2691f653174c39 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -86,7 +86,11 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_access_order", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-    { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }
+    { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
+    /* Do not include ldap_auth_disable_tls_never_use_in_production in the
+     * manpages or SSSDConfig API
+     */
+    { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
 };
 
 struct sdap_attr_map ipa_attr_map[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 39fe31dc5bb7cd8cabebdee31af02df0f12c5ceb..ed67a2c7b994e731b7eb270c6d4db1ecc5e27934 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
 /* the following defines are used to keep track of the options in the ldap
  * module, so that if they change and ipa is not updated correspondingly
  * this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 47
+#define IPA_OPTS_BASIC_TEST 48
 
 /* the following define is used to keep track of the options in the krb5
  * module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 853231b36c64b5afdde2e898f57f332736f44150..5cbb4ff61d435f1c934685dfcb76de9b98819a38 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -536,6 +536,7 @@ static void auth_resolve_done(struct tevent_req *subreq)
     struct auth_state *state = tevent_req_data(req,
                                                     struct auth_state);
     int ret;
+    bool use_tls;
 
     ret = be_resolve_server_recv(subreq, &state->srv);
     talloc_zfree(subreq);
@@ -546,8 +547,14 @@ static void auth_resolve_done(struct tevent_req *subreq)
         return;
     }
 
+    /* Check for undocumented debugging feature to disable TLS
+     * for authentication. This should never be used in production
+     * for obvious reasons.
+     */
+    use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
+
     subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
-                               state->sdap_service->uri, true);
+                               state->sdap_service->uri, use_tls);
     if (!subreq) {
         tevent_req_error(req, ENOMEM);
         return;
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index f56d01f0001db4f8cd423f221df3de696b425a60..f2ea16aec72ee31ec38348d7ece5faf1c8628424 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -81,7 +81,11 @@ struct dp_option default_basic_opts[] = {
     { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING },
     { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-    { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }
+    { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
+    /* Do not include ldap_auth_disable_tls_never_use_in_production in the
+     * manpages or SSSDConfig API
+     */
+    { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
 };
 
 struct sdap_attr_map generic_attr_map[] = {
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index e053210afc9bace011158ba306cf6bd1164e74e1..31e72cd5b8326204ca6c8ffa718490c574c997e2 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -200,6 +200,7 @@ enum sdap_basic_opt {
     SDAP_CHPASS_URI,
     SDAP_CHPASS_DNS_SERVICE_NAME,
     SDAP_ENUM_SEARCH_TIMEOUT,
+    SDAP_DISABLE_AUTH_TLS,
 
     SDAP_OPTS_BASIC /* opts counter */
 };
-- 
1.7.3.4

0001-Add-option-to-disable-TLS-for-LDAP-auth.patch.sig
Description: PGP signature

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to