[SSSD] [sssd PR#700][comment] LDAP: Only authenticate the auth connection if we need to look up user information

Mon, 26 Nov 2018 01:46:16 -0800 

  URL: https://github.com/SSSD/sssd/pull/700
Title: #700: LDAP: Only authenticate the auth connection if we need to look up 
user information

sumit-bose commented:
"""
ah sorry, I just realized that I didn't paste the latest version of my debug 
call. Here it is:

```
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index b4d045a..12c00f7 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -747,6 +747,38 @@ static struct tevent_req *auth_connect_send(struct 
tevent_req *req)
     return subreq;
 }
 
+static void check_encryption(LDAP *ldap) {
+    ber_len_t sasl_ssf = 0;
+    void *ssl_ctx = NULL;
+    int ret;
+
+    ret = ldap_get_option(ldap, LDAP_OPT_X_SASL_SSF, &sasl_ssf);
+    if (ret != LDAP_SUCCESS) {
+        DEBUG(SSSDBG_TRACE_LIBS, "ldap_get_option failed to get sasl ssf, "
+                                 "assuming SASL is not used.\n");
+    }
+
+    /* LDAP_OPT_X_TLS_SSL_CTX returns a pointer to a struct which depends on
+     * the crypto library used by OpenLDAP. Since in general we do not know
+     * which library is used we just check if the pointer is not NULL and
+     * assume that in this case the TLS setup was successful. */
+    ret = ldap_get_option(ldap, LDAP_OPT_X_TLS_SSL_CTX, &ssl_ctx);
+    if (ret != LDAP_SUCCESS) {
+        DEBUG(SSSDBG_OP_FAILURE, "ldap_get_option failed to get ssl ctx, "
+                                 "ignored.\n");
+    }
+
+    DEBUG(SSSDBG_TRACE_ALL, "Encryption used: SASF SSF [%lu] SSL CTX [%s].\n",
+                            sasl_ssf,
+                            ssl_ctx == NULL ? "No SSL CTX" : "SSL CTX 
present");
+
+    if (sasl_ssf <= 1 && ssl_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+                "No encryption detected on LDAP connection.\n");
+        sss_log(SSS_LOG_CRIT, "No encryption detected on LDAP connection.\n");
+    }
+}
+
 static void auth_connect_done(struct tevent_req *subreq)
 {
     struct tevent_req *req = tevent_req_callback_data(subreq,
@@ -776,6 +808,8 @@ static void auth_connect_done(struct tevent_req *subreq)
         return;
     }
 
+    check_encryption(state->sh->ldap);
+
     if (state->dn == NULL) {
         /* The cached user entry was missing the bind DN. Need to look
          * it up based on user name in order to perform the bind */
```

The change is in the debug level and message when trying to get 
LDAP_OPT_X_SASL_SSF.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/700#issuecomment-441577635

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

Reply via email to