-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2011 11:17 AM, Sumit Bose wrote: > On Tue, Jan 25, 2011 at 11:09:09AM -0500, Stephen Gallagher wrote: > On 01/25/2011 10:59 AM, Jeff Schroeder wrote: >>>> Why don't you make sssd also complain on startup about this option? >>>> > > I'm trying not to be TOO obnoxious about it. I figured that not having > it mentioned in the documentation and not visible to the SSSDConfig API > would be sufficient. > > But if you feel strongly about it, it's not too hard to add. > > >> I would also support the idea of some kind of warning message to prevent >> that someone accidentally use the "debugging" configuration in >> production. But instead of a message at startup I would prefer a syslog >> message every time a password is sent unencrypted.
New patch with annoying syslog message attached. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0/KpkACgkQeiVVYja6o6OsUQCfUASv3Xl4TmAe2Hg4ahO0NkrG vSsAnRkS32L5QrsqXAb0YSRRNtY2QXwH =i5b6 -----END PGP SIGNATURE-----
From 4f64e5b404cff2c2df95b6746eaa025402e9b4d4 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgall...@redhat.com>
Date: Tue, 25 Jan 2011 10:47:25 -0500
Subject: [PATCH] Add option to disable TLS for LDAP auth
Option is named to discourage use in production environments and
is intentionally not listed in the SSSDConfig API.
---
src/providers/ipa/ipa_common.c | 6 +++++-
src/providers/ipa/ipa_common.h | 2 +-
src/providers/ldap/ldap_auth.c | 14 +++++++++++++-
src/providers/ldap/ldap_common.c | 6 +++++-
src/providers/ldap/sdap.h | 1 +
5 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index b3467c606c61d262b86c92f571e1cc29ac7aa6af..401c19305353afb0a91e55dd9b2691f653174c39 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -86,7 +86,11 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_access_order", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }
+ { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
+ /* Do not include ldap_auth_disable_tls_never_use_in_production in the
+ * manpages or SSSDConfig API
+ */
+ { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
};
struct sdap_attr_map ipa_attr_map[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 39fe31dc5bb7cd8cabebdee31af02df0f12c5ceb..ed67a2c7b994e731b7eb270c6d4db1ecc5e27934 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
/* the following defines are used to keep track of the options in the ldap
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 47
+#define IPA_OPTS_BASIC_TEST 48
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 853231b36c64b5afdde2e898f57f332736f44150..f4bbabf6bb35727593a35296bb5918547ed394a4 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -536,6 +536,7 @@ static void auth_resolve_done(struct tevent_req *subreq)
struct auth_state *state = tevent_req_data(req,
struct auth_state);
int ret;
+ bool use_tls;
ret = be_resolve_server_recv(subreq, &state->srv);
talloc_zfree(subreq);
@@ -546,8 +547,19 @@ static void auth_resolve_done(struct tevent_req *subreq)
return;
}
+ /* Check for undocumented debugging feature to disable TLS
+ * for authentication. This should never be used in production
+ * for obvious reasons.
+ */
+ use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
+ if (!use_tls) {
+ sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
+ "insecure connection. This should be done "
+ "for debugging purposes only.");
+ }
+
subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
- state->sdap_service->uri, true);
+ state->sdap_service->uri, use_tls);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index f56d01f0001db4f8cd423f221df3de696b425a60..f2ea16aec72ee31ec38348d7ece5faf1c8628424 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -81,7 +81,11 @@ struct dp_option default_basic_opts[] = {
{ "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING },
{ "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }
+ { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
+ /* Do not include ldap_auth_disable_tls_never_use_in_production in the
+ * manpages or SSSDConfig API
+ */
+ { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
};
struct sdap_attr_map generic_attr_map[] = {
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index e053210afc9bace011158ba306cf6bd1164e74e1..31e72cd5b8326204ca6c8ffa718490c574c997e2 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -200,6 +200,7 @@ enum sdap_basic_opt {
SDAP_CHPASS_URI,
SDAP_CHPASS_DNS_SERVICE_NAME,
SDAP_ENUM_SEARCH_TIMEOUT,
+ SDAP_DISABLE_AUTH_TLS,
SDAP_OPTS_BASIC /* opts counter */
};
--
1.7.3.4
0001-Add-option-to-disable-TLS-for-LDAP-auth.patch.sig
Description: PGP signature
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
