URL: https://github.com/SSSD/sssd/pull/700 Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information
sumit-bose commented: """ ah sorry, I just realized that I didn't paste the latest version of my debug call. Here it is: ``` diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index b4d045a..12c00f7 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -747,6 +747,38 @@ static struct tevent_req *auth_connect_send(struct tevent_req *req) return subreq; } +static void check_encryption(LDAP *ldap) { + ber_len_t sasl_ssf = 0; + void *ssl_ctx = NULL; + int ret; + + ret = ldap_get_option(ldap, LDAP_OPT_X_SASL_SSF, &sasl_ssf); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_TRACE_LIBS, "ldap_get_option failed to get sasl ssf, " + "assuming SASL is not used.\n"); + } + + /* LDAP_OPT_X_TLS_SSL_CTX returns a pointer to a struct which depends on + * the crypto library used by OpenLDAP. Since in general we do not know + * which library is used we just check if the pointer is not NULL and + * assume that in this case the TLS setup was successful. */ + ret = ldap_get_option(ldap, LDAP_OPT_X_TLS_SSL_CTX, &ssl_ctx); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldap_get_option failed to get ssl ctx, " + "ignored.\n"); + } + + DEBUG(SSSDBG_TRACE_ALL, "Encryption used: SASF SSF [%lu] SSL CTX [%s].\n", + sasl_ssf, + ssl_ctx == NULL ? "No SSL CTX" : "SSL CTX present"); + + if (sasl_ssf <= 1 && ssl_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No encryption detected on LDAP connection.\n"); + sss_log(SSS_LOG_CRIT, "No encryption detected on LDAP connection.\n"); + } +} + static void auth_connect_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, @@ -776,6 +808,8 @@ static void auth_connect_done(struct tevent_req *subreq) return; } + check_encryption(state->sh->ldap); + if (state->dn == NULL) { /* The cached user entry was missing the bind DN. Need to look * it up based on user name in order to perform the bind */ ``` The change is in the debug level and message when trying to get LDAP_OPT_X_SASL_SSF. """ See the full comment at https://github.com/SSSD/sssd/pull/700#issuecomment-441577635
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org