diff -urN sssd-2.2.3/src/config/cfg_rules.ini sssd-2.2.3/src/config/cfg_rules.ini
--- sssd-2.2.3/src/config/cfg_rules.ini 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/config/cfg_rules.ini 2020-04-27 10:40:24.489676889 +0200
@@ -464,6 +464,7 @@
option = ad_maximum_machine_account_password_age
option = ad_server
option = ad_site
+option = ad_use_ldaps
# IPA provider specific options
option = ipa_anchor_uuid
@@ -662,6 +663,7 @@
option = ldap_sasl_canonicalize
option = ldap_sasl_mech
option = ldap_sasl_minssf
+option = ldap_sasl_maxssf
option = ldap_schema
option = ldap_pwmodify_mode
option = ldap_search_base
diff -urN sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf
--- sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf 2020-04-27 10:38:07.159465822 +0200
@@ -20,6 +20,7 @@
ad_site = str, None, false
ad_maximum_machine_account_password_age = int, None, false
ad_machine_account_password_renewal_opts = str, None, false
+ad_use_ldaps = bool, None, false
ldap_uri = str, None, false
ldap_backup_uri = str, None, false
ldap_search_base = str, None, false
@@ -40,6 +41,7 @@
ldap_sasl_mech = str, None, false
ldap_sasl_authid = str, None, false
ldap_sasl_minssf = int, None, false
+ldap_sasl_maxssf = int, None, false
krb5_kdcip = str, None, false
krb5_server = str, None, false
krb5_backup_server = str, None, false
diff -urN sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ipa.conf sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ipa.conf
--- sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ipa.conf 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ipa.conf 2020-04-27 10:36:23.403297134 +0200
@@ -32,6 +32,7 @@
ldap_sasl_mech = str, None, false
ldap_sasl_authid = str, None, false
ldap_sasl_minssf = int, None, false
+ldap_sasl_maxssf = int, None, false
krb5_kdcip = str, None, false
krb5_server = str, None, false
krb5_backup_server = str, None, false
diff -urN sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ldap.conf sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ldap.conf
--- sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ldap.conf 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ldap.conf 2020-04-27 10:36:23.403297134 +0200
@@ -35,6 +35,7 @@
ldap_deref_threshold = int, None, false
ldap_sasl_canonicalize = bool, None, false
ldap_sasl_minssf = int, None, false
+ldap_sasl_maxssf = int, None, false
ldap_connection_expire_timeout = int, None, false
ldap_disable_paging = bool, None, false
ldap_disable_range_retrieval = bool, None, false
diff -urN sssd-2.2.3/src/config/SSSDConfig/__init__.py.in sssd-2.2.3/src/config/SSSDConfig/__init__.py.in
--- sssd-2.2.3/src/config/SSSDConfig/__init__.py.in 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/config/SSSDConfig/__init__.py.in 2020-04-27 10:39:40.975965576 +0200
@@ -252,6 +252,7 @@
'ad_site' : _('a particular site to be used by the client'),
'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
+ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
@@ -304,6 +305,7 @@
'ldap_sasl_authid' : _('Specify the sasl authorization id to use'),
'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'),
'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'),
+ 'ldap_sasl_maxssf' : _('Specify the maximal SSF for LDAP sasl authorization'),
'ldap_krb5_keytab' : _('Kerberos service keytab'),
'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'),
'ldap_referrals' : _('Follow LDAP referrals'),
diff -urN sssd-2.2.3/src/man/sssd-ad.5.xml sssd-2.2.3/src/man/sssd-ad.5.xml
--- sssd-2.2.3/src/man/sssd-ad.5.xml 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/man/sssd-ad.5.xml 2020-04-27 10:36:23.395297079 +0200
@@ -1016,6 +1016,26 @@
+ ad_use_ldaps (bool)
+
+
+ By default SSSD uses the plain LDAP port 389 and the
+ Global Catalog port 3628. If this option is set to
+ True SSSD will use the LDAPS port 636 and Global
+ Catalog port 3629 with LDAPS protection. Since AD
+ does not allow to have multiple encryption layers on
+ a single connection and we still want to use
+ SASL/GSSAPI or SASL/GSS-SPNEGO for authentication
+ the SASL security property maxssf is set to 0 (zero)
+ for those connections.
+
+
+ Default: False
+
+
+
+
+
dyndns_update (boolean)
diff -urN sssd-2.2.3/src/man/sssd-ldap.5.xml sssd-2.2.3/src/man/sssd-ldap.5.xml
--- sssd-2.2.3/src/man/sssd-ldap.5.xml 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/man/sssd-ldap.5.xml 2020-04-27 10:36:23.407297162 +0200
@@ -594,6 +594,22 @@
+ ldap_sasl_maxssf (integer)
+
+
+ When communicating with an LDAP server using SASL,
+ specify the maximal security level necessary to
+ establish the connection. The values of this
+ option are defined by OpenLDAP.
+
+
+ Default: Use the system default (usually specified
+ by ldap.conf)
+
+
+
+
+
ldap_deref_threshold (integer)
diff -urN sssd-2.2.3/src/providers/ad/ad_common.c sssd-2.2.3/src/providers/ad/ad_common.c
--- sssd-2.2.3/src/providers/ad/ad_common.c 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ad/ad_common.c 2020-04-27 10:36:23.407297162 +0200
@@ -729,6 +729,7 @@
const char *ad_gc_service,
const char *ad_domain,
bool use_kdcinfo,
+ bool ad_use_ldaps,
size_t n_lookahead_primary,
size_t n_lookahead_backup,
struct ad_service **_service)
@@ -746,6 +747,16 @@
goto done;
}
+ if (ad_use_ldaps) {
+ service->ldap_scheme = "ldaps";
+ service->port = LDAPS_PORT;
+ service->gc_port = AD_GC_LDAPS_PORT;
+ } else {
+ service->ldap_scheme = "ldap";
+ service->port = LDAP_PORT;
+ service->gc_port = AD_GC_PORT;
+ }
+
service->sdap = talloc_zero(service, struct sdap_service);
service->gc = talloc_zero(service, struct sdap_service);
if (!service->sdap || !service->gc) {
@@ -927,7 +938,8 @@
goto done;
}
- new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);
+ new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme,
+ srv_name);
if (!new_uri) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");
ret = ENOMEM;
@@ -935,7 +947,7 @@
}
DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);
- sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
+ sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port);
if (sockaddr == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
ret = EIO;
@@ -951,8 +963,12 @@
talloc_zfree(service->gc->uri);
talloc_zfree(service->gc->sockaddr);
if (sdata && sdata->gc) {
- new_port = fo_get_server_port(server);
- new_port = (new_port == 0) ? AD_GC_PORT : new_port;
+ if (service->gc_port == AD_GC_LDAPS_PORT) {
+ new_port = service->gc_port;
+ } else {
+ new_port = fo_get_server_port(server);
+ new_port = (new_port == 0) ? service->gc_port : new_port;
+ }
service->gc->uri = talloc_asprintf(service->gc, "%s:%d",
new_uri, new_port);
@@ -1005,6 +1021,23 @@
return;
}
+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts)
+{
+ int ret;
+
+ DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n");
+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to set SASL minssf for ldaps usage, ignored.\n");
+ }
+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to set SASL maxssf for ldaps usage, ignored.\n");
+ }
+}
+
static errno_t
ad_set_sdap_options(struct ad_options *ad_opts,
struct sdap_options *id_opts)
@@ -1063,6 +1096,10 @@
goto done;
}
+ if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) {
+ ad_set_ssf_for_ldaps(id_opts);
+ }
+
/* Warn if the user is doing something silly like overriding the schema
* with the AD provider
*/
@@ -1479,9 +1516,26 @@
const char *parent_val = NULL;
char *dummy = NULL;
char *option_list[2] = { NULL, NULL };
+ bool is_default = true;
+
+ switch (parent_opts[opt_id].type) {
+ case DP_OPT_STRING:
+ parent_val = dp_opt_get_cstring(parent_opts, opt_id);
+ break;
+ case DP_OPT_BOOL:
+ /* For booleans it is hard to say if the option is set or not since
+ * both possible values are valid ones. So we check if the value is
+ * different from the default and skip if it is the default. In this
+ * case the sub-domain option would either be the default as well or
+ * manully set and in both cases we do not have to change it. */
+ is_default = (parent_opts[opt_id].val.boolean
+ == parent_opts[opt_id].def_val.boolean);
+ break;
+ default:
+ DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n");
+ }
- parent_val = dp_opt_get_cstring(parent_opts, opt_id);
- if (parent_val != NULL) {
+ if (parent_val != NULL || !is_default) {
ret = confdb_get_string(cdb, NULL, subdom_conf_path,
parent_opts[opt_id].opt_name, NULL, &dummy);
if (ret != EOK) {
diff -urN sssd-2.2.3/src/providers/ad/ad_common.h sssd-2.2.3/src/providers/ad/ad_common.h
--- sssd-2.2.3/src/providers/ad/ad_common.h 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ad/ad_common.h 2020-04-27 10:41:31.275949475 +0200
@@ -29,7 +29,8 @@
#define AD_SERVICE_NAME "AD"
#define AD_GC_SERVICE_NAME "AD_GC"
/* The port the Global Catalog runs on */
-#define AD_GC_PORT 3268
+#define AD_GC_PORT 3268
+#define AD_GC_LDAPS_PORT 3269
#define AD_AT_OBJECT_SID "objectSID"
#define AD_AT_DNS_DOMAIN "DnsDomain"
@@ -67,6 +68,7 @@
AD_KRB5_CONFD_PATH,
AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
+ AD_USE_LDAPS,
AD_OPTS_BASIC /* opts counter */
};
@@ -82,6 +84,9 @@
struct sdap_service *sdap;
struct sdap_service *gc;
struct krb5_service *krb5_service;
+ const char *ldap_scheme;
+ int port;
+ int gc_port;
};
struct ad_options {
@@ -147,6 +152,7 @@
const char *ad_gc_service,
const char *ad_domain,
bool use_kdcinfo,
+ bool ad_use_ldaps,
size_t n_lookahead_primary,
size_t n_lookahead_backup,
struct ad_service **_service);
@@ -175,6 +181,8 @@
ad_get_dyndns_options(struct be_ctx *be_ctx,
struct ad_options *ad_opts);
+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts);
+
struct ad_id_ctx *
ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx);
diff -urN sssd-2.2.3/src/providers/ad/ad_init.c sssd-2.2.3/src/providers/ad/ad_init.c
--- sssd-2.2.3/src/providers/ad/ad_init.c 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ad/ad_init.c 2020-04-27 10:36:23.399297106 +0200
@@ -138,6 +138,7 @@
char *ad_servers = NULL;
char *ad_backup_servers = NULL;
char *ad_realm;
+ bool ad_use_ldaps = false;
errno_t ret;
ad_sasl_initialize();
@@ -154,12 +155,14 @@
ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
/* Set up the failover service */
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
dp_opt_get_string(ad_options->basic, AD_DOMAIN),
false, /* will be set in ad_get_auth_options() */
+ ad_use_ldaps,
(size_t) -1,
(size_t) -1,
&ad_options->service);
@@ -184,11 +187,13 @@
const char *ad_site_override;
bool sites_enabled;
errno_t ret;
+ bool ad_use_ldaps;
hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
if (!sites_enabled) {
@@ -205,7 +210,8 @@
srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
default_host_dbs, ad_options->id,
hostname, ad_domain,
- ad_site_override);
+ ad_site_override,
+ ad_use_ldaps);
if (srv_ctx == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
return ENOMEM;
diff -urN sssd-2.2.3/src/providers/ad/ad_opts.c sssd-2.2.3/src/providers/ad/ad_opts.c
--- sssd-2.2.3/src/providers/ad/ad_opts.c 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ad/ad_opts.c 2020-04-27 10:42:13.541206135 +0200
@@ -54,6 +54,7 @@
{ "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
{ "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
{ "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
+ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
DP_OPTION_TERMINATOR
};
@@ -104,6 +105,7 @@
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
diff -urN sssd-2.2.3/src/providers/ad/ad_srv.c sssd-2.2.3/src/providers/ad/ad_srv.c
--- sssd-2.2.3/src/providers/ad/ad_srv.c 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ad/ad_srv.c 2020-04-27 10:36:23.399297106 +0200
@@ -244,6 +244,7 @@
enum host_database *host_db;
struct sdap_options *opts;
const char *ad_domain;
+ bool ad_use_ldaps;
struct fo_server_info *dcs;
size_t num_dcs;
size_t dc_index;
@@ -264,6 +265,7 @@
enum host_database *host_db,
struct sdap_options *opts,
const char *ad_domain,
+ bool ad_use_ldaps,
struct fo_server_info *dcs,
size_t num_dcs)
{
@@ -288,6 +290,7 @@
state->host_db = host_db;
state->opts = opts;
state->ad_domain = ad_domain;
+ state->ad_use_ldaps = ad_use_ldaps;
state->dcs = dcs;
state->num_dcs = num_dcs;
@@ -331,8 +334,11 @@
subreq = sdap_connect_host_send(state, state->ev, state->opts,
state->be_res->resolv,
state->be_res->family_order,
- state->host_db, "ldap", state->dc.host,
- state->dc.port, false);
+ state->host_db,
+ state->ad_use_ldaps ? "ldaps" : "ldap",
+ state->dc.host,
+ state->ad_use_ldaps ? 636 : state->dc.port,
+ false);
if (subreq == NULL) {
ret = ENOMEM;
goto done;
@@ -491,6 +497,7 @@
const char *ad_domain;
const char *ad_site_override;
const char *current_site;
+ bool ad_use_ldaps;
};
struct ad_srv_plugin_ctx *
@@ -501,7 +508,8 @@
struct sdap_options *opts,
const char *hostname,
const char *ad_domain,
- const char *ad_site_override)
+ const char *ad_site_override,
+ bool ad_use_ldaps)
{
struct ad_srv_plugin_ctx *ctx = NULL;
errno_t ret;
@@ -515,6 +523,7 @@
ctx->be_res = be_res;
ctx->host_dbs = host_dbs;
ctx->opts = opts;
+ ctx->ad_use_ldaps = ad_use_ldaps;
ctx->hostname = talloc_strdup(ctx, hostname);
if (ctx->hostname == NULL) {
@@ -714,6 +723,7 @@
state->ctx->host_dbs,
state->ctx->opts,
state->discovery_domain,
+ state->ctx->ad_use_ldaps,
dcs, num_dcs);
if (subreq == NULL) {
ret = ENOMEM;
diff -urN sssd-2.2.3/src/providers/ad/ad_srv.h sssd-2.2.3/src/providers/ad/ad_srv.h
--- sssd-2.2.3/src/providers/ad/ad_srv.h 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ad/ad_srv.h 2020-04-27 10:36:23.399297106 +0200
@@ -31,7 +31,8 @@
struct sdap_options *opts,
const char *hostname,
const char *ad_domain,
- const char *ad_site_override);
+ const char *ad_site_override,
+ bool ad_use_ldaps);
struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff -urN sssd-2.2.3/src/providers/ad/ad_subdomains.c sssd-2.2.3/src/providers/ad/ad_subdomains.c
--- sssd-2.2.3/src/providers/ad/ad_subdomains.c 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ad/ad_subdomains.c 2020-04-27 10:36:23.407297162 +0200
@@ -282,6 +282,7 @@
bool use_kdcinfo = false;
size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT;
size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT;
+ bool ad_use_ldaps = false;
realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
@@ -312,6 +313,25 @@
return ENOMEM;
}
+ ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic,
+ ad_options->basic,
+ be_ctx->cdb, subdom_conf_path,
+ AD_USE_LDAPS);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to inherit option [%s] to sub-domain [%s]. "
+ "This error is ignored but might cause issues or unexpected "
+ "behavior later on.\n",
+ id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name,
+ subdom->name);
+
+ return ret;
+ }
+
+ if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) {
+ ad_set_ssf_for_ldaps(ad_options->id);
+ }
+
ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
ad_options->id->basic,
be_ctx->cdb, subdom_conf_path,
@@ -344,6 +364,7 @@
servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
if (id_ctx->ad_options->auth_ctx != NULL
&& id_ctx->ad_options->auth_ctx->opts != NULL) {
@@ -362,7 +383,7 @@
ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers,
subdom->realm, service_name, gc_service_name,
- subdom->name, use_kdcinfo,
+ subdom->name, use_kdcinfo, ad_use_ldaps,
n_lookahead_primary,
n_lookahead_backup,
&ad_options->service);
@@ -386,7 +407,7 @@
ad_id_ctx->ad_options->id,
hostname,
ad_domain,
- ad_site_override);
+ ad_site_override, ad_use_ldaps);
if (srv_ctx == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
return ENOMEM;
diff -urN sssd-2.2.3/src/providers/ipa/ipa_opts.c sssd-2.2.3/src/providers/ipa/ipa_opts.c
--- sssd-2.2.3/src/providers/ipa/ipa_opts.c 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ipa/ipa_opts.c 2020-04-27 10:36:23.407297162 +0200
@@ -114,6 +114,7 @@
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER },
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
diff -urN sssd-2.2.3/src/providers/ipa/ipa_subdomains_server.c sssd-2.2.3/src/providers/ipa/ipa_subdomains_server.c
--- sssd-2.2.3/src/providers/ipa/ipa_subdomains_server.c 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ipa/ipa_subdomains_server.c 2020-04-27 10:36:23.403297134 +0200
@@ -319,7 +319,7 @@
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
subdom->realm,
service_name, gc_service_name,
- subdom->name, use_kdcinfo,
+ subdom->name, use_kdcinfo, false,
n_lookahead_primary, n_lookahead_backup,
&ad_options->service);
if (ret != EOK) {
@@ -344,7 +344,7 @@
ad_id_ctx->ad_options->id,
id_ctx->server_mode->hostname,
ad_domain,
- ad_site_override);
+ ad_site_override, false);
if (srv_ctx == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
return ENOMEM;
diff -urN sssd-2.2.3/src/providers/ldap/ldap_opts.c sssd-2.2.3/src/providers/ldap/ldap_opts.c
--- sssd-2.2.3/src/providers/ldap/ldap_opts.c 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ldap/ldap_opts.c 2020-04-27 10:36:23.407297162 +0200
@@ -74,6 +74,7 @@
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
diff -urN sssd-2.2.3/src/providers/ldap/sdap_async_connection.c sssd-2.2.3/src/providers/ldap/sdap_async_connection.c
--- sssd-2.2.3/src/providers/ldap/sdap_async_connection.c 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ldap/sdap_async_connection.c 2020-04-27 10:36:23.407297162 +0200
@@ -148,6 +148,8 @@
const char *sasl_mech;
int sasl_minssf;
ber_len_t ber_sasl_minssf;
+ int sasl_maxssf;
+ ber_len_t ber_sasl_maxssf;
ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd);
talloc_zfree(subreq);
@@ -291,6 +293,18 @@
goto fail;
}
}
+
+ sasl_maxssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MAXSSF);
+ if (sasl_maxssf >= 0) {
+ ber_sasl_maxssf = (ber_len_t)sasl_maxssf;
+ lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MAX,
+ &ber_sasl_maxssf);
+ if (lret != LDAP_OPT_SUCCESS) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MAX SSF option "
+ "to %d\n", sasl_maxssf);
+ goto fail;
+ }
+ }
}
/* if we do not use start_tls the connection is not really connected yet
diff -urN sssd-2.2.3/src/providers/ldap/sdap.h sssd-2.2.3/src/providers/ldap/sdap.h
--- sssd-2.2.3/src/providers/ldap/sdap.h 2019-11-30 23:00:25.000000000 +0100
+++ sssd-2.2.3/src/providers/ldap/sdap.h 2020-04-27 10:36:23.407297162 +0200
@@ -192,6 +192,7 @@
SDAP_SASL_AUTHID,
SDAP_SASL_REALM,
SDAP_SASL_MINSSF,
+ SDAP_SASL_MAXSSF,
SDAP_KRB5_KEYTAB,
SDAP_KRB5_KINIT,
SDAP_KRB5_KDC,