URL: https://github.com/SSSD/sssd/pull/733 Author: alexey-tikhonov Title: #733: providers/ldap: abort unsecure authentication requests Action: opened
PR body: """ Abort LDAP authentication if the connection is not authenticated and SDAP_DISABLE_AUTH_TLS is off. Resolves: https://pagure.io/SSSD/sssd/issue/3889 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/733/head:pr733 git checkout pr733
From a68da6228f15727aa4fcf94114d4ed5c17e9bc8d Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikh...@redhat.com> Date: Mon, 14 Jan 2019 18:15:29 +0100 Subject: [PATCH] providers/ldap: abort unsecure authentication requests Abort LDAP authentication if the connection is not authenticated and SDAP_DISABLE_AUTH_TLS is off. Resolves: https://pagure.io/SSSD/sssd/issue/3889 --- src/providers/ldap/ldap_auth.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index 4666dbfbb1..33f6d7ce0c 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -747,16 +747,17 @@ static struct tevent_req *auth_connect_send(struct tevent_req *req) return subreq; } -static void check_encryption(LDAP *ldap) +static bool check_encryption_used(LDAP *ldap) { ber_len_t sasl_ssf = 0; int tls_inplace = 0; int ret; ret = ldap_get_option(ldap, LDAP_OPT_X_SASL_SSF, &sasl_ssf); - if (ret != LDAP_SUCCESS) { + if (ret != LDAP_OPT_SUCCESS) { DEBUG(SSSDBG_TRACE_LIBS, "ldap_get_option failed to get sasl ssf, " "assuming SASL is not used.\n"); + sasl_ssf = 0; } tls_inplace = ldap_tls_inplace(ldap); @@ -769,7 +770,10 @@ static void check_encryption(LDAP *ldap) DEBUG(SSSDBG_CRIT_FAILURE, "No encryption detected on LDAP connection.\n"); sss_log(SSS_LOG_CRIT, "No encryption detected on LDAP connection.\n"); + return false; } + + return true; } static void auth_connect_done(struct tevent_req *subreq) @@ -801,7 +805,12 @@ static void auth_connect_done(struct tevent_req *subreq) return; } - check_encryption(state->sh->ldap); + if (!check_encryption_used(state->sh->ldap) && + !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Aborting the authentication request.\n"); + sss_log(SSS_LOG_CRIT, "Aborting the authentication request.\n"); + tevent_req_error(req, ERR_AUTH_FAILED); + } if (state->dn == NULL) { /* The cached user entry was missing the bind DN. Need to look
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org