diff -u sssd-2.2.3/debian/changelog sssd-2.2.3/debian/changelog --- sssd-2.2.3/debian/changelog +++ sssd-2.2.3/debian/changelog @@ -1,3 +1,14 @@ +sssd (2.2.3-3ubuntu1) focal; urgency=medium + + * Enable support for "ad_use_ldaps" for new Active Directory + requirement ADV190023 (LP: #1868703): + - d/p/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch + - d/p/lp-1868703-02-ad-add-ad_use_ldaps.patch + - d/p/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch + - d/p/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch + + -- Matthew Ruffell Tue, 10 Nov 2020 11:59:08 +1300 + sssd (2.2.3-3) unstable; urgency=medium * libnss-sss: Fix a typo in adding the NSS entry for automount. diff -u sssd-2.2.3/debian/patches/series sssd-2.2.3/debian/patches/series --- sssd-2.2.3/debian/patches/series +++ sssd-2.2.3/debian/patches/series @@ -2,3 +2,7 @@ fix-whitespace-test.diff default-to-socket-activated-services.diff fix-946847.diff +lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch +lp-1868703-02-ad-add-ad_use_ldaps.patch +lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch +lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch only in patch2: unchanged: --- sssd-2.2.3.orig/debian/patches/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch +++ sssd-2.2.3/debian/patches/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch @@ -0,0 +1,40 @@ +Description: ad: allow booleans for ad_inherit_opts_if_needed() +Author: Sumit Bose +From: Matthew Ruffell +Origin: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83 +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 +Bug-Ubuntu: https://launchpad.net/bugs/1868703 + +Index: sssd-2.2.3/src/providers/ad/ad_common.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_common.c 2020-10-12 17:03:20.688186858 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_common.c 2020-10-12 17:03:20.684186803 +1300 +@@ -1479,9 +1479,26 @@ + const char *parent_val = NULL; + char *dummy = NULL; + char *option_list[2] = { NULL, NULL }; ++ bool is_default = true; + +- parent_val = dp_opt_get_cstring(parent_opts, opt_id); +- if (parent_val != NULL) { ++ switch (parent_opts[opt_id].type) { ++ case DP_OPT_STRING: ++ parent_val = dp_opt_get_cstring(parent_opts, opt_id); ++ break; ++ case DP_OPT_BOOL: ++ /* For booleans it is hard to say if the option is set or not since ++ * both possible values are valid ones. So we check if the value is ++ * different from the default and skip if it is the default. In this ++ * case the sub-domain option would either be the default as well or ++ * manully set and in both cases we do not have to change it. */ ++ is_default = (parent_opts[opt_id].val.boolean ++ == parent_opts[opt_id].def_val.boolean); ++ break; ++ default: ++ DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n"); ++ } ++ ++ if (parent_val != NULL || !is_default) { + ret = confdb_get_string(cdb, NULL, subdom_conf_path, + parent_opts[opt_id].opt_name, NULL, &dummy); + if (ret != EOK) { only in patch2: unchanged: --- sssd-2.2.3.orig/debian/patches/lp-1868703-02-ad-add-ad_use_ldaps.patch +++ sssd-2.2.3/debian/patches/lp-1868703-02-ad-add-ad_use_ldaps.patch @@ -0,0 +1,412 @@ +Description: ad: add ad_use_ldaps +Author: Sumit Bose +From: Matthew Ruffell +Origin: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7 +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 +Bug-Ubuntu: https://launchpad.net/bugs/1868703 + +Index: sssd-2.2.3/src/config/SSSDConfig/__init__.py.in +=================================================================== +--- sssd-2.2.3.orig/src/config/SSSDConfig/__init__.py.in 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/config/SSSDConfig/__init__.py.in 2020-10-12 17:03:42.796491375 +1300 +@@ -252,6 +252,7 @@ + 'ad_site' : _('a particular site to be used by the client'), + 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), + 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), ++ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'), + + # [provider/krb5] + 'krb5_kdcip' : _('Kerberos server address'), +Index: sssd-2.2.3/src/config/cfg_rules.ini +=================================================================== +--- sssd-2.2.3.orig/src/config/cfg_rules.ini 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/config/cfg_rules.ini 2020-10-12 17:03:42.796491375 +1300 +@@ -464,6 +464,7 @@ + option = ad_maximum_machine_account_password_age + option = ad_server + option = ad_site ++option = ad_use_ldaps + + # IPA provider specific options + option = ipa_anchor_uuid +Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf +=================================================================== +--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-12 17:03:42.796491375 +1300 +@@ -20,6 +20,7 @@ + ad_site = str, None, false + ad_maximum_machine_account_password_age = int, None, false + ad_machine_account_password_renewal_opts = str, None, false ++ad_use_ldaps = bool, None, false + ldap_uri = str, None, false + ldap_backup_uri = str, None, false + ldap_search_base = str, None, false +Index: sssd-2.2.3/src/man/sssd-ad.5.xml +=================================================================== +--- sssd-2.2.3.orig/src/man/sssd-ad.5.xml 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/man/sssd-ad.5.xml 2020-10-12 17:03:42.796491375 +1300 +@@ -1016,6 +1016,26 @@ + + + ++ ad_use_ldaps (bool) ++ ++ ++ By default SSSD uses the plain LDAP port 389 and the ++ Global Catalog port 3628. If this option is set to ++ True SSSD will use the LDAPS port 636 and Global ++ Catalog port 3629 with LDAPS protection. Since AD ++ does not allow to have multiple encryption layers on ++ a single connection and we still want to use ++ SASL/GSSAPI or SASL/GSS-SPNEGO for authentication ++ the SASL security property maxssf is set to 0 (zero) ++ for those connections. ++ ++ ++ Default: False ++ ++ ++ ++ ++ + dyndns_update (boolean) + + +Index: sssd-2.2.3/src/providers/ad/ad_common.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_common.c 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_common.c 2020-10-12 17:03:42.796491375 +1300 +@@ -729,6 +729,7 @@ + const char *ad_gc_service, + const char *ad_domain, + bool use_kdcinfo, ++ bool ad_use_ldaps, + size_t n_lookahead_primary, + size_t n_lookahead_backup, + struct ad_service **_service) +@@ -746,6 +747,16 @@ + goto done; + } + ++ if (ad_use_ldaps) { ++ service->ldap_scheme = "ldaps"; ++ service->port = LDAPS_PORT; ++ service->gc_port = AD_GC_LDAPS_PORT; ++ } else { ++ service->ldap_scheme = "ldap"; ++ service->port = LDAP_PORT; ++ service->gc_port = AD_GC_PORT; ++ } ++ + service->sdap = talloc_zero(service, struct sdap_service); + service->gc = talloc_zero(service, struct sdap_service); + if (!service->sdap || !service->gc) { +@@ -927,7 +938,8 @@ + goto done; + } + +- new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name); ++ new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme, ++ srv_name); + if (!new_uri) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n"); + ret = ENOMEM; +@@ -935,7 +947,7 @@ + } + DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri); + +- sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT); ++ sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port); + if (sockaddr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n"); + ret = EIO; +@@ -951,8 +963,12 @@ + talloc_zfree(service->gc->uri); + talloc_zfree(service->gc->sockaddr); + if (sdata && sdata->gc) { +- new_port = fo_get_server_port(server); +- new_port = (new_port == 0) ? AD_GC_PORT : new_port; ++ if (service->gc_port == AD_GC_LDAPS_PORT) { ++ new_port = service->gc_port; ++ } else { ++ new_port = fo_get_server_port(server); ++ new_port = (new_port == 0) ? service->gc_port : new_port; ++ } + + service->gc->uri = talloc_asprintf(service->gc, "%s:%d", + new_uri, new_port); +Index: sssd-2.2.3/src/providers/ad/ad_common.h +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_common.h 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_common.h 2020-10-12 17:03:42.796491375 +1300 +@@ -29,7 +29,8 @@ + #define AD_SERVICE_NAME "AD" + #define AD_GC_SERVICE_NAME "AD_GC" + /* The port the Global Catalog runs on */ +-#define AD_GC_PORT 3268 ++#define AD_GC_PORT 3268 ++#define AD_GC_LDAPS_PORT 3269 + + #define AD_AT_OBJECT_SID "objectSID" + #define AD_AT_DNS_DOMAIN "DnsDomain" +@@ -67,6 +68,7 @@ + AD_KRB5_CONFD_PATH, + AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, + AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, ++ AD_USE_LDAPS, + + AD_OPTS_BASIC /* opts counter */ + }; +@@ -82,6 +84,9 @@ + struct sdap_service *sdap; + struct sdap_service *gc; + struct krb5_service *krb5_service; ++ const char *ldap_scheme; ++ int port; ++ int gc_port; + }; + + struct ad_options { +@@ -147,6 +152,7 @@ + const char *ad_gc_service, + const char *ad_domain, + bool use_kdcinfo, ++ bool ad_use_ldaps, + size_t n_lookahead_primary, + size_t n_lookahead_backup, + struct ad_service **_service); +Index: sssd-2.2.3/src/providers/ad/ad_init.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_init.c 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_init.c 2020-10-12 17:03:42.796491375 +1300 +@@ -138,6 +138,7 @@ + char *ad_servers = NULL; + char *ad_backup_servers = NULL; + char *ad_realm; ++ bool ad_use_ldaps = false; + errno_t ret; + + ad_sasl_initialize(); +@@ -154,12 +155,14 @@ + ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER); + ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); + ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM); ++ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); + + /* Set up the failover service */ + ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers, + ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME, + dp_opt_get_string(ad_options->basic, AD_DOMAIN), + false, /* will be set in ad_get_auth_options() */ ++ ad_use_ldaps, + (size_t) -1, + (size_t) -1, + &ad_options->service); +@@ -184,11 +187,13 @@ + const char *ad_site_override; + bool sites_enabled; + errno_t ret; ++ bool ad_use_ldaps; + + hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME); + ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN); + ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE); + sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES); ++ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); + + + if (!sites_enabled) { +@@ -205,7 +210,8 @@ + srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, ad_options->id, + hostname, ad_domain, +- ad_site_override); ++ ad_site_override, ++ ad_use_ldaps); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; +Index: sssd-2.2.3/src/providers/ad/ad_opts.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_opts.c 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_opts.c 2020-10-12 17:03:42.796491375 +1300 +@@ -54,6 +54,7 @@ + { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING }, + { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, + { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, ++ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + DP_OPTION_TERMINATOR + }; + +Index: sssd-2.2.3/src/providers/ad/ad_srv.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_srv.c 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_srv.c 2020-10-12 17:03:42.796491375 +1300 +@@ -244,6 +244,7 @@ + enum host_database *host_db; + struct sdap_options *opts; + const char *ad_domain; ++ bool ad_use_ldaps; + struct fo_server_info *dcs; + size_t num_dcs; + size_t dc_index; +@@ -264,6 +265,7 @@ + enum host_database *host_db, + struct sdap_options *opts, + const char *ad_domain, ++ bool ad_use_ldaps, + struct fo_server_info *dcs, + size_t num_dcs) + { +@@ -288,6 +290,7 @@ + state->host_db = host_db; + state->opts = opts; + state->ad_domain = ad_domain; ++ state->ad_use_ldaps = ad_use_ldaps; + state->dcs = dcs; + state->num_dcs = num_dcs; + +@@ -331,8 +334,11 @@ + subreq = sdap_connect_host_send(state, state->ev, state->opts, + state->be_res->resolv, + state->be_res->family_order, +- state->host_db, "ldap", state->dc.host, +- state->dc.port, false); ++ state->host_db, ++ state->ad_use_ldaps ? "ldaps" : "ldap", ++ state->dc.host, ++ state->ad_use_ldaps ? 636 : state->dc.port, ++ false); + if (subreq == NULL) { + ret = ENOMEM; + goto done; +@@ -491,6 +497,7 @@ + const char *ad_domain; + const char *ad_site_override; + const char *current_site; ++ bool ad_use_ldaps; + }; + + struct ad_srv_plugin_ctx * +@@ -501,7 +508,8 @@ + struct sdap_options *opts, + const char *hostname, + const char *ad_domain, +- const char *ad_site_override) ++ const char *ad_site_override, ++ bool ad_use_ldaps) + { + struct ad_srv_plugin_ctx *ctx = NULL; + errno_t ret; +@@ -515,6 +523,7 @@ + ctx->be_res = be_res; + ctx->host_dbs = host_dbs; + ctx->opts = opts; ++ ctx->ad_use_ldaps = ad_use_ldaps; + + ctx->hostname = talloc_strdup(ctx, hostname); + if (ctx->hostname == NULL) { +@@ -714,6 +723,7 @@ + state->ctx->host_dbs, + state->ctx->opts, + state->discovery_domain, ++ state->ctx->ad_use_ldaps, + dcs, num_dcs); + if (subreq == NULL) { + ret = ENOMEM; +Index: sssd-2.2.3/src/providers/ad/ad_srv.h +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_srv.h 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_srv.h 2020-10-12 17:03:42.796491375 +1300 +@@ -31,7 +31,8 @@ + struct sdap_options *opts, + const char *hostname, + const char *ad_domain, +- const char *ad_site_override); ++ const char *ad_site_override, ++ bool ad_use_ldaps); + + struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, +Index: sssd-2.2.3/src/providers/ad/ad_subdomains.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_subdomains.c 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_subdomains.c 2020-10-12 17:03:42.800491430 +1300 +@@ -282,6 +282,7 @@ + bool use_kdcinfo = false; + size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT; + size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT; ++ bool ad_use_ldaps = false; + + realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM); + hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME); +@@ -312,6 +313,21 @@ + return ENOMEM; + } + ++ ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic, ++ ad_options->basic, ++ be_ctx->cdb, subdom_conf_path, ++ AD_USE_LDAPS); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to inherit option [%s] to sub-domain [%s]. " ++ "This error is ignored but might cause issues or unexpected " ++ "behavior later on.\n", ++ id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name, ++ subdom->name); ++ ++ return ret; ++ } ++ + ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic, + ad_options->id->basic, + be_ctx->cdb, subdom_conf_path, +@@ -344,6 +360,7 @@ + + servers = dp_opt_get_string(ad_options->basic, AD_SERVER); + backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); ++ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); + + if (id_ctx->ad_options->auth_ctx != NULL + && id_ctx->ad_options->auth_ctx->opts != NULL) { +@@ -362,7 +379,7 @@ + + ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers, + subdom->realm, service_name, gc_service_name, +- subdom->name, use_kdcinfo, ++ subdom->name, use_kdcinfo, ad_use_ldaps, + n_lookahead_primary, + n_lookahead_backup, + &ad_options->service); +@@ -386,7 +403,7 @@ + ad_id_ctx->ad_options->id, + hostname, + ad_domain, +- ad_site_override); ++ ad_site_override, ad_use_ldaps); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; +Index: sssd-2.2.3/src/providers/ipa/ipa_subdomains_server.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ipa/ipa_subdomains_server.c 2020-10-12 17:03:42.800491430 +1300 ++++ sssd-2.2.3/src/providers/ipa/ipa_subdomains_server.c 2020-10-12 17:03:42.800491430 +1300 +@@ -319,7 +319,7 @@ + ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers, + subdom->realm, + service_name, gc_service_name, +- subdom->name, use_kdcinfo, ++ subdom->name, use_kdcinfo, false, + n_lookahead_primary, n_lookahead_backup, + &ad_options->service); + if (ret != EOK) { +@@ -344,7 +344,7 @@ + ad_id_ctx->ad_options->id, + id_ctx->server_mode->hostname, + ad_domain, +- ad_site_override); ++ ad_site_override, false); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; only in patch2: unchanged: --- sssd-2.2.3.orig/debian/patches/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch +++ sssd-2.2.3/debian/patches/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch @@ -0,0 +1,174 @@ +Description: ldap: add new option ldap_sasl_maxssf +Author: Sumit Bose +From: Matthew Ruffell +Origin: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5 +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 +Bug-Ubuntu: https://launchpad.net/bugs/1868703 + +Index: sssd-2.2.3/src/config/SSSDConfig/__init__.py.in +=================================================================== +--- sssd-2.2.3.orig/src/config/SSSDConfig/__init__.py.in 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/config/SSSDConfig/__init__.py.in 2020-10-12 17:03:58.896712553 +1300 +@@ -305,6 +305,7 @@ + 'ldap_sasl_authid' : _('Specify the sasl authorization id to use'), + 'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'), + 'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'), ++ 'ldap_sasl_maxssf' : _('Specify the maximal SSF for LDAP sasl authorization'), + 'ldap_krb5_keytab' : _('Kerberos service keytab'), + 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'), + 'ldap_referrals' : _('Follow LDAP referrals'), +Index: sssd-2.2.3/src/config/cfg_rules.ini +=================================================================== +--- sssd-2.2.3.orig/src/config/cfg_rules.ini 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/config/cfg_rules.ini 2020-10-12 17:03:58.896712553 +1300 +@@ -663,6 +663,7 @@ + option = ldap_sasl_canonicalize + option = ldap_sasl_mech + option = ldap_sasl_minssf ++option = ldap_sasl_maxssf + option = ldap_schema + option = ldap_pwmodify_mode + option = ldap_search_base +Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf +=================================================================== +--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-12 17:03:58.896712553 +1300 +@@ -41,6 +41,7 @@ + ldap_sasl_mech = str, None, false + ldap_sasl_authid = str, None, false + ldap_sasl_minssf = int, None, false ++ldap_sasl_maxssf = int, None, false + krb5_kdcip = str, None, false + krb5_server = str, None, false + krb5_backup_server = str, None, false +Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ipa.conf +=================================================================== +--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ipa.conf 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ipa.conf 2020-10-12 17:03:58.896712553 +1300 +@@ -32,6 +32,7 @@ + ldap_sasl_mech = str, None, false + ldap_sasl_authid = str, None, false + ldap_sasl_minssf = int, None, false ++ldap_sasl_maxssf = int, None, false + krb5_kdcip = str, None, false + krb5_server = str, None, false + krb5_backup_server = str, None, false +Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ldap.conf +=================================================================== +--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ldap.conf 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ldap.conf 2020-10-12 17:03:58.896712553 +1300 +@@ -35,6 +35,7 @@ + ldap_deref_threshold = int, None, false + ldap_sasl_canonicalize = bool, None, false + ldap_sasl_minssf = int, None, false ++ldap_sasl_maxssf = int, None, false + ldap_connection_expire_timeout = int, None, false + ldap_disable_paging = bool, None, false + ldap_disable_range_retrieval = bool, None, false +Index: sssd-2.2.3/src/man/sssd-ldap.5.xml +=================================================================== +--- sssd-2.2.3.orig/src/man/sssd-ldap.5.xml 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/man/sssd-ldap.5.xml 2020-10-12 17:03:58.896712553 +1300 +@@ -594,6 +594,22 @@ + + + ++ ldap_sasl_maxssf (integer) ++ ++ ++ When communicating with an LDAP server using SASL, ++ specify the maximal security level necessary to ++ establish the connection. The values of this ++ option are defined by OpenLDAP. ++ ++ ++ Default: Use the system default (usually specified ++ by ldap.conf) ++ ++ ++ ++ ++ + ldap_deref_threshold (integer) + + +Index: sssd-2.2.3/src/providers/ad/ad_opts.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_opts.c 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_opts.c 2020-10-12 17:03:58.896712553 +1300 +@@ -105,6 +105,7 @@ + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, ++ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + /* use the same parm name as the krb5 module so we set it only once */ +Index: sssd-2.2.3/src/providers/ipa/ipa_opts.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ipa/ipa_opts.c 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/providers/ipa/ipa_opts.c 2020-10-12 17:03:58.896712553 +1300 +@@ -114,6 +114,7 @@ + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER }, ++ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + /* use the same parm name as the krb5 module so we set it only once */ +Index: sssd-2.2.3/src/providers/ldap/ldap_opts.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ldap/ldap_opts.c 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/providers/ldap/ldap_opts.c 2020-10-12 17:03:58.900712608 +1300 +@@ -74,6 +74,7 @@ + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, ++ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + /* use the same parm name as the krb5 module so we set it only once */ +Index: sssd-2.2.3/src/providers/ldap/sdap.h +=================================================================== +--- sssd-2.2.3.orig/src/providers/ldap/sdap.h 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/providers/ldap/sdap.h 2020-10-12 17:03:58.900712608 +1300 +@@ -192,6 +192,7 @@ + SDAP_SASL_AUTHID, + SDAP_SASL_REALM, + SDAP_SASL_MINSSF, ++ SDAP_SASL_MAXSSF, + SDAP_KRB5_KEYTAB, + SDAP_KRB5_KINIT, + SDAP_KRB5_KDC, +Index: sssd-2.2.3/src/providers/ldap/sdap_async_connection.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ldap/sdap_async_connection.c 2020-10-12 17:03:58.900712608 +1300 ++++ sssd-2.2.3/src/providers/ldap/sdap_async_connection.c 2020-10-12 17:03:58.900712608 +1300 +@@ -148,6 +148,8 @@ + const char *sasl_mech; + int sasl_minssf; + ber_len_t ber_sasl_minssf; ++ int sasl_maxssf; ++ ber_len_t ber_sasl_maxssf; + + ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd); + talloc_zfree(subreq); +@@ -291,6 +293,18 @@ + goto fail; + } + } ++ ++ sasl_maxssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MAXSSF); ++ if (sasl_maxssf >= 0) { ++ ber_sasl_maxssf = (ber_len_t)sasl_maxssf; ++ lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MAX, ++ &ber_sasl_maxssf); ++ if (lret != LDAP_OPT_SUCCESS) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MAX SSF option " ++ "to %d\n", sasl_maxssf); ++ goto fail; ++ } ++ } + } + + /* if we do not use start_tls the connection is not really connected yet only in patch2: unchanged: --- sssd-2.2.3.orig/debian/patches/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch +++ sssd-2.2.3/debian/patches/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch @@ -0,0 +1,74 @@ +Description: ad: set min and max ssf for ldaps +Author: Sumit Bose +From: Matthew Ruffell +Origin: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 +Bug-Ubuntu: https://launchpad.net/bugs/1868703 + +Index: sssd-2.2.3/src/providers/ad/ad_common.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_common.c 2020-10-12 17:04:19.840999569 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_common.c 2020-10-12 17:04:19.836999514 +1300 +@@ -1021,6 +1021,23 @@ + return; + } + ++void ad_set_ssf_for_ldaps(struct sdap_options *id_opts) ++{ ++ int ret; ++ ++ DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n"); ++ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to set SASL minssf for ldaps usage, ignored.\n"); ++ } ++ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to set SASL maxssf for ldaps usage, ignored.\n"); ++ } ++} ++ + static errno_t + ad_set_sdap_options(struct ad_options *ad_opts, + struct sdap_options *id_opts) +@@ -1079,6 +1096,10 @@ + goto done; + } + ++ if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) { ++ ad_set_ssf_for_ldaps(id_opts); ++ } ++ + /* Warn if the user is doing something silly like overriding the schema + * with the AD provider + */ +Index: sssd-2.2.3/src/providers/ad/ad_common.h +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_common.h 2020-10-12 17:04:19.840999569 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_common.h 2020-10-12 17:04:19.836999514 +1300 +@@ -181,6 +181,8 @@ + ad_get_dyndns_options(struct be_ctx *be_ctx, + struct ad_options *ad_opts); + ++void ad_set_ssf_for_ldaps(struct sdap_options *id_opts); ++ + struct ad_id_ctx * + ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx); + +Index: sssd-2.2.3/src/providers/ad/ad_subdomains.c +=================================================================== +--- sssd-2.2.3.orig/src/providers/ad/ad_subdomains.c 2020-10-12 17:04:19.840999569 +1300 ++++ sssd-2.2.3/src/providers/ad/ad_subdomains.c 2020-10-12 17:04:19.836999514 +1300 +@@ -328,6 +328,10 @@ + return ret; + } + ++ if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) { ++ ad_set_ssf_for_ldaps(ad_options->id); ++ } ++ + ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic, + ad_options->id->basic, + be_ctx->cdb, subdom_conf_path,