diff -u sssd-1.16.1/debian/changelog sssd-1.16.1/debian/changelog --- sssd-1.16.1/debian/changelog +++ sssd-1.16.1/debian/changelog @@ -1,3 +1,15 @@ +sssd (1.16.1-1ubuntu1.7) bionic; urgency=medium + + * Enable support for "ad_use_ldaps" for new Active Directory + requirement ADV190023 (LP: #1868703): + - d/p/lp-1868703-01-sdap-inherit-SDAP_SASL_MECH-if-not-set-explicitly.patch + - d/p/lp-1868703-02-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch + - d/p/lp-1868703-03-ad-add-ad_use_ldaps.patch + - d/p/lp-1868703-04-ldap-add-new-option-ldap_sasl_maxssf.patch + - d/p/lp-1868703-05-ad-set-min-and-max-ssf-for-ldaps.patch + + -- Matthew Ruffell Tue, 10 Nov 2020 12:10:04 +1300 + sssd (1.16.1-1ubuntu1.6) bionic; urgency=medium * d/p/monitor-propagate-error.patch, diff -u sssd-1.16.1/debian/patches/series sssd-1.16.1/debian/patches/series --- sssd-1.16.1/debian/patches/series +++ sssd-1.16.1/debian/patches/series @@ -4,3 +4,8 @@ winbind-idmap-plugin-support-inferface-version-6.patch monitor-resolve-symlinks.patch monitor-propagate-error.patch +lp-1868703-01-sdap-inherit-SDAP_SASL_MECH-if-not-set-explicitly.patch +lp-1868703-02-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch +lp-1868703-03-ad-add-ad_use_ldaps.patch +lp-1868703-04-ldap-add-new-option-ldap_sasl_maxssf.patch +lp-1868703-05-ad-set-min-and-max-ssf-for-ldaps.patch only in patch2: unchanged: --- sssd-1.16.1.orig/debian/patches/lp-1868703-01-sdap-inherit-SDAP_SASL_MECH-if-not-set-explicitly.patch +++ sssd-1.16.1/debian/patches/lp-1868703-01-sdap-inherit-SDAP_SASL_MECH-if-not-set-explicitly.patch @@ -0,0 +1,189 @@ +Description: sdap: inherit SDAP_SASL_MECH if not set explicitly +Author: Sumit Bose +From: Matthew Ruffell +Origin: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 +Bug-Ubuntu: https://launchpad.net/bugs/1868703 + +Index: sssd-1.16.1/src/config/cfg_rules.ini +=================================================================== +--- sssd-1.16.1.orig/src/config/cfg_rules.ini 2020-10-21 17:18:32.057361485 +1300 ++++ sssd-1.16.1/src/config/cfg_rules.ini 2020-10-21 17:18:32.053361441 +1300 +@@ -737,6 +737,7 @@ + option = ldap_group_search_base + option = ldap_netgroup_search_base + option = ldap_service_search_base ++option = ldap_sasl_mech + option = ad_server + option = ad_backup_server + option = ad_site +Index: sssd-1.16.1/src/man/sssd-ldap.5.xml +=================================================================== +--- sssd-1.16.1.orig/src/man/sssd-ldap.5.xml 2020-10-21 17:18:32.057361485 +1300 ++++ sssd-1.16.1/src/man/sssd-ldap.5.xml 2020-10-21 17:18:32.053361441 +1300 +@@ -1751,6 +1751,16 @@ + map IDs. + + ++ If the backend supports sub-domains the value of ++ ldap_sasl_mech is automatically inherited to the ++ sub-domains. If a different value is needed for a ++ sub-domain it can be overwritten by setting ++ ldap_sasl_mech for this sub-domain explicitly. ++ Please see TRUSTED DOMAIN SECTION in ++ sssd.conf ++ 5 for details. ++ ++ + Default: not set (both options are set to 0) + + +Index: sssd-1.16.1/src/man/sssd.conf.5.xml +=================================================================== +--- sssd-1.16.1.orig/src/man/sssd.conf.5.xml 2020-10-21 17:18:32.057361485 +1300 ++++ sssd-1.16.1/src/man/sssd.conf.5.xml 2020-10-21 17:18:32.053361441 +1300 +@@ -3160,6 +3160,7 @@ + ldap_group_search_base, + ldap_netgroup_search_base, + ldap_service_search_base, ++ ldap_sasl_mech, + ad_server, + ad_backup_server, + ad_site, +Index: sssd-1.16.1/src/providers/ad/ad_common.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_common.c 2020-10-21 17:18:32.057361485 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_common.c 2020-10-21 17:18:32.053361441 +1300 +@@ -1431,3 +1431,41 @@ + + return clist; + } ++ ++errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts, ++ struct dp_option *suddom_opts, ++ struct confdb_ctx *cdb, ++ const char *subdom_conf_path, ++ int opt_id) ++{ ++ int ret; ++ const char *parent_val = NULL; ++ char *dummy = NULL; ++ char *option_list[2] = { NULL, NULL }; ++ ++ parent_val = dp_opt_get_cstring(parent_opts, opt_id); ++ if (parent_val != NULL) { ++ ret = confdb_get_string(cdb, NULL, subdom_conf_path, ++ parent_opts[opt_id].opt_name, NULL, &dummy); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "confdb_get_string failed.\n"); ++ goto done; ++ } ++ ++ if (dummy == NULL) { ++ DEBUG(SSSDBG_CONF_SETTINGS, ++ "Option [%s] is set in parent domain but not set for " ++ "sub-domain trying to set it to [%s].\n", ++ parent_opts[opt_id].opt_name, parent_val); ++ option_list[0] = discard_const(parent_opts[opt_id].opt_name); ++ dp_option_inherit(option_list, opt_id, parent_opts, suddom_opts); ++ } ++ } ++ ++ ret = EOK; ++ ++done: ++ talloc_free(dummy); ++ ++ return ret; ++} +Index: sssd-1.16.1/src/providers/ad/ad_common.h +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_common.h 2020-10-21 17:18:32.057361485 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_common.h 2020-10-21 17:18:32.053361441 +1300 +@@ -207,4 +207,9 @@ + char **_site, + char **_forest); + ++errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts, ++ struct dp_option *suddom_opts, ++ struct confdb_ctx *cdb, ++ const char *subdom_conf_path, ++ int opt_id); + #endif /* AD_COMMON_H_ */ +Index: sssd-1.16.1/src/providers/ad/ad_subdomains.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_subdomains.c 2020-10-21 17:18:32.057361485 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_subdomains.c 2020-10-21 17:18:32.057361485 +1300 +@@ -268,13 +268,29 @@ + ad_options = ad_create_2way_trust_options(id_ctx, be_ctx->cdb, + subdom_conf_path, realm, subdom, + hostname, keytab); +- talloc_free(subdom_conf_path); + if (ad_options == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n"); + talloc_free(ad_options); ++ talloc_free(subdom_conf_path); + return ENOMEM; + } + ++ ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic, ++ ad_options->id->basic, ++ be_ctx->cdb, subdom_conf_path, ++ SDAP_SASL_MECH); ++ talloc_free(subdom_conf_path); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to inherit option [%s] to sub-domain [%s]. " ++ "This error is ignored but might cause issues or unexpected " ++ "behavior later on.\n", ++ id_ctx->ad_options->id->basic[SDAP_SASL_MECH].opt_name, ++ subdom->name); ++ ++ return ret; ++ } ++ + ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE); + + gc_service_name = talloc_asprintf(ad_options, "sd_gc_%s", subdom->name); +Index: sssd-1.16.1/src/providers/ipa/ipa_subdomains_server.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ipa/ipa_subdomains_server.c 2020-10-21 17:18:32.057361485 +1300 ++++ sssd-1.16.1/src/providers/ipa/ipa_subdomains_server.c 2020-10-21 17:18:32.057361485 +1300 +@@ -170,6 +170,7 @@ + const char *forest; + const char *forest_realm; + char *subdom_conf_path; ++ int ret; + + /* Trusts are only established with forest roots */ + direction = subdom->forest_root->trust_direction; +@@ -198,12 +199,28 @@ + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported trust direction!\n"); + ad_options = NULL; + } +- talloc_free(subdom_conf_path); + + if (ad_options == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n"); ++ talloc_free(subdom_conf_path); + return NULL; + } ++ ++ ret = ad_inherit_opts_if_needed(id_ctx->ipa_options->id->basic, ++ ad_options->id->basic, be_ctx->cdb, ++ subdom_conf_path, SDAP_SASL_MECH); ++ talloc_free(subdom_conf_path); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to inherit option [%s] to sub-domain [%s]. " ++ "This error is ignored but might cause issues or unexpected " ++ "behavior later on.\n", ++ id_ctx->ipa_options->id->basic[SDAP_SASL_MECH].opt_name, ++ subdom->name); ++ ++ return NULL; ++ } ++ + return ad_options; + } + only in patch2: unchanged: --- sssd-1.16.1.orig/debian/patches/lp-1868703-02-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch +++ sssd-1.16.1/debian/patches/lp-1868703-02-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch @@ -0,0 +1,40 @@ +Description: ad: allow booleans for ad_inherit_opts_if_needed() +Author: Sumit Bose +From: Matthew Ruffell +Origin: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83 +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 +Bug-Ubuntu: https://launchpad.net/bugs/1868703 + +Index: sssd-1.16.1/src/providers/ad/ad_common.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_common.c 2020-10-21 17:18:53.965596788 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_common.c 2020-10-21 17:18:53.965596788 +1300 +@@ -1442,9 +1442,26 @@ + const char *parent_val = NULL; + char *dummy = NULL; + char *option_list[2] = { NULL, NULL }; ++ bool is_default = true; + +- parent_val = dp_opt_get_cstring(parent_opts, opt_id); +- if (parent_val != NULL) { ++ switch (parent_opts[opt_id].type) { ++ case DP_OPT_STRING: ++ parent_val = dp_opt_get_cstring(parent_opts, opt_id); ++ break; ++ case DP_OPT_BOOL: ++ /* For booleans it is hard to say if the option is set or not since ++ * both possible values are valid ones. So we check if the value is ++ * different from the default and skip if it is the default. In this ++ * case the sub-domain option would either be the default as well or ++ * manully set and in both cases we do not have to change it. */ ++ is_default = (parent_opts[opt_id].val.boolean ++ == parent_opts[opt_id].def_val.boolean); ++ break; ++ default: ++ DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n"); ++ } ++ ++ if (parent_val != NULL || !is_default) { + ret = confdb_get_string(cdb, NULL, subdom_conf_path, + parent_opts[opt_id].opt_name, NULL, &dummy); + if (ret != EOK) { only in patch2: unchanged: --- sssd-1.16.1.orig/debian/patches/lp-1868703-03-ad-add-ad_use_ldaps.patch +++ sssd-1.16.1/debian/patches/lp-1868703-03-ad-add-ad_use_ldaps.patch @@ -0,0 +1,407 @@ +Description: ad: add ad_use_ldaps +Author: Sumit Bose +From: Matthew Ruffell +Origin: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7 +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 +Bug-Ubuntu: https://launchpad.net/bugs/1868703 + +Index: sssd-1.16.1/src/config/SSSDConfig/__init__.py.in +=================================================================== +--- sssd-1.16.1.orig/src/config/SSSDConfig/__init__.py.in 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/config/SSSDConfig/__init__.py.in 2020-10-21 17:19:12.681798672 +1300 +@@ -246,6 +246,7 @@ + 'ad_site' : _('a particular site to be used by the client'), + 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), + 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), ++ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'), + + # [provider/krb5] + 'krb5_kdcip' : _('Kerberos server address'), +Index: sssd-1.16.1/src/config/cfg_rules.ini +=================================================================== +--- sssd-1.16.1.orig/src/config/cfg_rules.ini 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/config/cfg_rules.ini 2020-10-21 17:19:12.681798672 +1300 +@@ -447,6 +447,7 @@ + option = ad_maximum_machine_account_password_age + option = ad_server + option = ad_site ++option = ad_use_ldaps + + # IPA provider specific options + option = ipa_anchor_uuid +Index: sssd-1.16.1/src/config/etc/sssd.api.d/sssd-ad.conf +=================================================================== +--- sssd-1.16.1.orig/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-21 17:19:12.681798672 +1300 +@@ -20,6 +20,7 @@ + ad_site = str, None, false + ad_maximum_machine_account_password_age = int, None, false + ad_machine_account_password_renewal_opts = str, None, false ++ad_use_ldaps = bool, None, false + ldap_uri = str, None, false + ldap_backup_uri = str, None, false + ldap_search_base = str, None, false +Index: sssd-1.16.1/src/man/sssd-ad.5.xml +=================================================================== +--- sssd-1.16.1.orig/src/man/sssd-ad.5.xml 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/man/sssd-ad.5.xml 2020-10-21 17:19:12.681798672 +1300 +@@ -860,6 +860,26 @@ + + + ++ ad_use_ldaps (bool) ++ ++ ++ By default SSSD uses the plain LDAP port 389 and the ++ Global Catalog port 3628. If this option is set to ++ True SSSD will use the LDAPS port 636 and Global ++ Catalog port 3629 with LDAPS protection. Since AD ++ does not allow to have multiple encryption layers on ++ a single connection and we still want to use ++ SASL/GSSAPI or SASL/GSS-SPNEGO for authentication ++ the SASL security property maxssf is set to 0 (zero) ++ for those connections. ++ ++ ++ Default: False ++ ++ ++ ++ ++ + dyndns_update (boolean) + + +Index: sssd-1.16.1/src/providers/ad/ad_common.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_common.c 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_common.c 2020-10-21 17:19:12.681798672 +1300 +@@ -720,6 +720,7 @@ + const char *ad_service, + const char *ad_gc_service, + const char *ad_domain, ++ bool ad_use_ldaps, + struct ad_service **_service) + { + errno_t ret; +@@ -735,6 +736,16 @@ + goto done; + } + ++ if (ad_use_ldaps) { ++ service->ldap_scheme = "ldaps"; ++ service->port = LDAPS_PORT; ++ service->gc_port = AD_GC_LDAPS_PORT; ++ } else { ++ service->ldap_scheme = "ldap"; ++ service->port = LDAP_PORT; ++ service->gc_port = AD_GC_PORT; ++ } ++ + service->sdap = talloc_zero(service, struct sdap_service); + service->gc = talloc_zero(service, struct sdap_service); + if (!service->sdap || !service->gc) { +@@ -898,7 +909,8 @@ + goto done; + } + +- new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name); ++ new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme, ++ srv_name); + if (!new_uri) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n"); + ret = ENOMEM; +@@ -906,7 +918,7 @@ + } + DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri); + +- sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT); ++ sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port); + if (sockaddr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n"); + ret = EIO; +@@ -922,8 +934,12 @@ + talloc_zfree(service->gc->uri); + talloc_zfree(service->gc->sockaddr); + if (sdata && sdata->gc) { +- new_port = fo_get_server_port(server); +- new_port = (new_port == 0) ? AD_GC_PORT : new_port; ++ if (service->gc_port == AD_GC_LDAPS_PORT) { ++ new_port = service->gc_port; ++ } else { ++ new_port = fo_get_server_port(server); ++ new_port = (new_port == 0) ? service->gc_port : new_port; ++ } + + service->gc->uri = talloc_asprintf(service->gc, "%s:%d", + new_uri, new_port); +Index: sssd-1.16.1/src/providers/ad/ad_common.h +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_common.h 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_common.h 2020-10-21 17:19:12.681798672 +1300 +@@ -29,7 +29,8 @@ + #define AD_SERVICE_NAME "AD" + #define AD_GC_SERVICE_NAME "AD_GC" + /* The port the Global Catalog runs on */ +-#define AD_GC_PORT 3268 ++#define AD_GC_PORT 3268 ++#define AD_GC_LDAPS_PORT 3269 + + #define AD_AT_OBJECT_SID "objectSID" + #define AD_AT_DNS_DOMAIN "DnsDomain" +@@ -65,6 +66,7 @@ + AD_KRB5_CONFD_PATH, + AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, + AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, ++ AD_USE_LDAPS, + + AD_OPTS_BASIC /* opts counter */ + }; +@@ -80,6 +82,9 @@ + struct sdap_service *sdap; + struct sdap_service *gc; + struct krb5_service *krb5_service; ++ const char *ldap_scheme; ++ int port; ++ int gc_port; + }; + + struct ad_options { +@@ -141,6 +146,7 @@ + const char *ad_service, + const char *ad_gc_service, + const char *ad_domain, ++ bool ad_use_ldaps, + struct ad_service **_service); + + errno_t +Index: sssd-1.16.1/src/providers/ad/ad_init.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_init.c 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_init.c 2020-10-21 17:19:12.681798672 +1300 +@@ -138,6 +138,7 @@ + char *ad_servers = NULL; + char *ad_backup_servers = NULL; + char *ad_realm; ++ bool ad_use_ldaps = false; + errno_t ret; + + ad_sasl_initialize(); +@@ -154,11 +155,13 @@ + ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER); + ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); + ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM); ++ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); + + /* Set up the failover service */ + ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers, + ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME, + dp_opt_get_string(ad_options->basic, AD_DOMAIN), ++ ad_use_ldaps, + &ad_options->service); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init AD failover service: " +@@ -181,11 +184,13 @@ + const char *ad_site_override; + bool sites_enabled; + errno_t ret; ++ bool ad_use_ldaps; + + hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME); + ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN); + ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE); + sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES); ++ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); + + + if (!sites_enabled) { +@@ -202,7 +207,8 @@ + srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, ad_options->id, + hostname, ad_domain, +- ad_site_override); ++ ad_site_override, ++ ad_use_ldaps); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; +Index: sssd-1.16.1/src/providers/ad/ad_opts.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_opts.c 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_opts.c 2020-10-21 17:19:12.681798672 +1300 +@@ -51,6 +51,7 @@ + { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING }, + { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, + { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, ++ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + DP_OPTION_TERMINATOR + }; + +Index: sssd-1.16.1/src/providers/ad/ad_srv.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_srv.c 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_srv.c 2020-10-21 17:19:12.681798672 +1300 +@@ -237,6 +237,7 @@ + enum host_database *host_db; + struct sdap_options *opts; + const char *ad_domain; ++ bool ad_use_ldaps; + struct fo_server_info *dcs; + size_t num_dcs; + size_t dc_index; +@@ -257,6 +258,7 @@ + enum host_database *host_db, + struct sdap_options *opts, + const char *ad_domain, ++ bool ad_use_ldaps, + struct fo_server_info *dcs, + size_t num_dcs) + { +@@ -281,6 +283,7 @@ + state->host_db = host_db; + state->opts = opts; + state->ad_domain = ad_domain; ++ state->ad_use_ldaps = ad_use_ldaps; + state->dcs = dcs; + state->num_dcs = num_dcs; + +@@ -324,8 +327,11 @@ + subreq = sdap_connect_host_send(state, state->ev, state->opts, + state->be_res->resolv, + state->be_res->family_order, +- state->host_db, "ldap", state->dc.host, +- state->dc.port, false); ++ state->host_db, ++ state->ad_use_ldaps ? "ldaps" : "ldap", ++ state->dc.host, ++ state->ad_use_ldaps ? 636 : state->dc.port, ++ false); + if (subreq == NULL) { + ret = ENOMEM; + goto done; +@@ -484,6 +490,7 @@ + const char *ad_domain; + const char *ad_site_override; + const char *current_site; ++ bool ad_use_ldaps; + }; + + struct ad_srv_plugin_ctx * +@@ -494,7 +501,8 @@ + struct sdap_options *opts, + const char *hostname, + const char *ad_domain, +- const char *ad_site_override) ++ const char *ad_site_override, ++ bool ad_use_ldaps) + { + struct ad_srv_plugin_ctx *ctx = NULL; + errno_t ret; +@@ -508,6 +516,7 @@ + ctx->be_res = be_res; + ctx->host_dbs = host_dbs; + ctx->opts = opts; ++ ctx->ad_use_ldaps = ad_use_ldaps; + + ctx->hostname = talloc_strdup(ctx, hostname); + if (ctx->hostname == NULL) { +@@ -707,6 +716,7 @@ + state->ctx->host_dbs, + state->ctx->opts, + state->discovery_domain, ++ state->ctx->ad_use_ldaps, + dcs, num_dcs); + if (subreq == NULL) { + ret = ENOMEM; +Index: sssd-1.16.1/src/providers/ad/ad_srv.h +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_srv.h 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_srv.h 2020-10-21 17:19:12.681798672 +1300 +@@ -31,7 +31,8 @@ + struct sdap_options *opts, + const char *hostname, + const char *ad_domain, +- const char *ad_site_override); ++ const char *ad_site_override, ++ bool ad_use_ldaps); + + struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, +Index: sssd-1.16.1/src/providers/ad/ad_subdomains.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_subdomains.c 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_subdomains.c 2020-10-21 17:19:12.681798672 +1300 +@@ -249,6 +249,7 @@ + const char *hostname; + const char *keytab; + char *subdom_conf_path; ++ bool ad_use_ldaps = false; + + realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM); + hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME); +@@ -275,6 +276,21 @@ + return ENOMEM; + } + ++ ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic, ++ ad_options->basic, ++ be_ctx->cdb, subdom_conf_path, ++ AD_USE_LDAPS); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to inherit option [%s] to sub-domain [%s]. " ++ "This error is ignored but might cause issues or unexpected " ++ "behavior later on.\n", ++ id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name, ++ subdom->name); ++ ++ return ret; ++ } ++ + ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic, + ad_options->id->basic, + be_ctx->cdb, subdom_conf_path, +@@ -307,10 +323,11 @@ + + servers = dp_opt_get_string(ad_options->basic, AD_SERVER); + backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); ++ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); + + ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers, realm, + service_name, gc_service_name, +- subdom->name, &ad_options->service); ++ subdom->name, ad_use_ldaps, &ad_options->service); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD failover\n"); + talloc_free(ad_options); +@@ -331,7 +348,7 @@ + ad_id_ctx->ad_options->id, + hostname, + ad_domain, +- ad_site_override); ++ ad_site_override, ad_use_ldaps); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; +Index: sssd-1.16.1/src/providers/ipa/ipa_subdomains_server.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ipa/ipa_subdomains_server.c 2020-10-21 17:19:12.685798714 +1300 ++++ sssd-1.16.1/src/providers/ipa/ipa_subdomains_server.c 2020-10-21 17:19:12.681798672 +1300 +@@ -304,7 +304,7 @@ + ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers, + id_ctx->server_mode->realm, + service_name, gc_service_name, +- subdom->name, &ad_options->service); ++ subdom->name, false, &ad_options->service); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD failover\n"); + talloc_free(ad_options); +@@ -327,7 +327,7 @@ + ad_id_ctx->ad_options->id, + id_ctx->server_mode->hostname, + ad_domain, +- ad_site_override); ++ ad_site_override, false); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; only in patch2: unchanged: --- sssd-1.16.1.orig/debian/patches/lp-1868703-04-ldap-add-new-option-ldap_sasl_maxssf.patch +++ sssd-1.16.1/debian/patches/lp-1868703-04-ldap-add-new-option-ldap_sasl_maxssf.patch @@ -0,0 +1,174 @@ +Description: ldap: add new option ldap_sasl_maxssf +Author: Sumit Bose +From: Matthew Ruffell +Origin: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5 +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 +Bug-Ubuntu: https://launchpad.net/bugs/1868703 + +Index: sssd-1.16.1/src/config/SSSDConfig/__init__.py.in +=================================================================== +--- sssd-1.16.1.orig/src/config/SSSDConfig/__init__.py.in 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/config/SSSDConfig/__init__.py.in 2020-10-21 17:19:35.894050101 +1300 +@@ -298,6 +298,7 @@ + 'ldap_sasl_authid' : _('Specify the sasl authorization id to use'), + 'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'), + 'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'), ++ 'ldap_sasl_maxssf' : _('Specify the maximal SSF for LDAP sasl authorization'), + 'ldap_krb5_keytab' : _('Kerberos service keytab'), + 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'), + 'ldap_referrals' : _('Follow LDAP referrals'), +Index: sssd-1.16.1/src/config/cfg_rules.ini +=================================================================== +--- sssd-1.16.1.orig/src/config/cfg_rules.ini 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/config/cfg_rules.ini 2020-10-21 17:19:35.894050101 +1300 +@@ -648,6 +648,7 @@ + option = ldap_sasl_canonicalize + option = ldap_sasl_mech + option = ldap_sasl_minssf ++option = ldap_sasl_maxssf + option = ldap_schema + option = ldap_search_base + option = ldap_search_timeout +Index: sssd-1.16.1/src/config/etc/sssd.api.d/sssd-ad.conf +=================================================================== +--- sssd-1.16.1.orig/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-21 17:19:35.894050101 +1300 +@@ -40,6 +40,7 @@ + ldap_sasl_mech = str, None, false + ldap_sasl_authid = str, None, false + ldap_sasl_minssf = int, None, false ++ldap_sasl_maxssf = int, None, false + krb5_kdcip = str, None, false + krb5_server = str, None, false + krb5_backup_server = str, None, false +Index: sssd-1.16.1/src/config/etc/sssd.api.d/sssd-ipa.conf +=================================================================== +--- sssd-1.16.1.orig/src/config/etc/sssd.api.d/sssd-ipa.conf 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/config/etc/sssd.api.d/sssd-ipa.conf 2020-10-21 17:19:35.894050101 +1300 +@@ -31,6 +31,7 @@ + ldap_sasl_mech = str, None, false + ldap_sasl_authid = str, None, false + ldap_sasl_minssf = int, None, false ++ldap_sasl_maxssf = int, None, false + krb5_kdcip = str, None, false + krb5_server = str, None, false + krb5_backup_server = str, None, false +Index: sssd-1.16.1/src/config/etc/sssd.api.d/sssd-ldap.conf +=================================================================== +--- sssd-1.16.1.orig/src/config/etc/sssd.api.d/sssd-ldap.conf 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/config/etc/sssd.api.d/sssd-ldap.conf 2020-10-21 17:19:35.894050101 +1300 +@@ -34,6 +34,7 @@ + ldap_deref_threshold = int, None, false + ldap_sasl_canonicalize = bool, None, false + ldap_sasl_minssf = int, None, false ++ldap_sasl_maxssf = int, None, false + ldap_connection_expire_timeout = int, None, false + ldap_disable_paging = bool, None, false + ldap_disable_range_retrieval = bool, None, false +Index: sssd-1.16.1/src/man/sssd-ldap.5.xml +=================================================================== +--- sssd-1.16.1.orig/src/man/sssd-ldap.5.xml 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/man/sssd-ldap.5.xml 2020-10-21 17:19:35.894050101 +1300 +@@ -1554,6 +1554,22 @@ + + + ++ ldap_sasl_maxssf (integer) ++ ++ ++ When communicating with an LDAP server using SASL, ++ specify the maximal security level necessary to ++ establish the connection. The values of this ++ option are defined by OpenLDAP. ++ ++ ++ Default: Use the system default (usually specified ++ by ldap.conf) ++ ++ ++ ++ ++ + ldap_deref_threshold (integer) + + +Index: sssd-1.16.1/src/providers/ad/ad_opts.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_opts.c 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_opts.c 2020-10-21 17:19:35.898050145 +1300 +@@ -101,6 +101,7 @@ + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, ++ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + /* use the same parm name as the krb5 module so we set it only once */ +Index: sssd-1.16.1/src/providers/ipa/ipa_opts.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ipa/ipa_opts.c 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/providers/ipa/ipa_opts.c 2020-10-21 17:19:35.898050145 +1300 +@@ -112,6 +112,7 @@ + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER }, ++ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + /* use the same parm name as the krb5 module so we set it only once */ +Index: sssd-1.16.1/src/providers/ldap/ldap_opts.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ldap/ldap_opts.c 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/providers/ldap/ldap_opts.c 2020-10-21 17:19:35.898050145 +1300 +@@ -73,6 +73,7 @@ + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, ++ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + /* use the same parm name as the krb5 module so we set it only once */ +Index: sssd-1.16.1/src/providers/ldap/sdap.h +=================================================================== +--- sssd-1.16.1.orig/src/providers/ldap/sdap.h 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/providers/ldap/sdap.h 2020-10-21 17:19:35.898050145 +1300 +@@ -190,6 +190,7 @@ + SDAP_SASL_AUTHID, + SDAP_SASL_REALM, + SDAP_SASL_MINSSF, ++ SDAP_SASL_MAXSSF, + SDAP_KRB5_KEYTAB, + SDAP_KRB5_KINIT, + SDAP_KRB5_KDC, +Index: sssd-1.16.1/src/providers/ldap/sdap_async_connection.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ldap/sdap_async_connection.c 2020-10-21 17:19:35.898050145 +1300 ++++ sssd-1.16.1/src/providers/ldap/sdap_async_connection.c 2020-10-21 17:19:35.898050145 +1300 +@@ -148,6 +148,8 @@ + const char *sasl_mech; + int sasl_minssf; + ber_len_t ber_sasl_minssf; ++ int sasl_maxssf; ++ ber_len_t ber_sasl_maxssf; + + ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd); + talloc_zfree(subreq); +@@ -291,6 +293,18 @@ + goto fail; + } + } ++ ++ sasl_maxssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MAXSSF); ++ if (sasl_maxssf >= 0) { ++ ber_sasl_maxssf = (ber_len_t)sasl_maxssf; ++ lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MAX, ++ &ber_sasl_maxssf); ++ if (lret != LDAP_OPT_SUCCESS) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MAX SSF option " ++ "to %d\n", sasl_maxssf); ++ goto fail; ++ } ++ } + } + + /* if we do not use start_tls the connection is not really connected yet only in patch2: unchanged: --- sssd-1.16.1.orig/debian/patches/lp-1868703-05-ad-set-min-and-max-ssf-for-ldaps.patch +++ sssd-1.16.1/debian/patches/lp-1868703-05-ad-set-min-and-max-ssf-for-ldaps.patch @@ -0,0 +1,74 @@ +Description: ad: set min and max ssf for ldaps +Author: Sumit Bose +From: Matthew Ruffell +Origin: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 +Bug-Ubuntu: https://launchpad.net/bugs/1868703 + +Index: sssd-1.16.1/src/providers/ad/ad_common.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_common.c 2020-10-21 17:20:00.722320287 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_common.c 2020-10-21 17:20:00.718320243 +1300 +@@ -1002,6 +1002,23 @@ + return; + } + ++void ad_set_ssf_for_ldaps(struct sdap_options *id_opts) ++{ ++ int ret; ++ ++ DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n"); ++ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to set SASL minssf for ldaps usage, ignored.\n"); ++ } ++ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to set SASL maxssf for ldaps usage, ignored.\n"); ++ } ++} ++ + static errno_t + ad_set_sdap_options(struct ad_options *ad_opts, + struct sdap_options *id_opts) +@@ -1059,6 +1076,10 @@ + goto done; + } + ++ if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) { ++ ad_set_ssf_for_ldaps(id_opts); ++ } ++ + /* fix schema to AD */ + id_opts->schema_type = SDAP_SCHEMA_AD; + +Index: sssd-1.16.1/src/providers/ad/ad_common.h +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_common.h 2020-10-21 17:20:00.722320287 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_common.h 2020-10-21 17:20:00.718320243 +1300 +@@ -168,6 +168,8 @@ + ad_get_dyndns_options(struct be_ctx *be_ctx, + struct ad_options *ad_opts); + ++void ad_set_ssf_for_ldaps(struct sdap_options *id_opts); ++ + struct ad_id_ctx * + ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx); + +Index: sssd-1.16.1/src/providers/ad/ad_subdomains.c +=================================================================== +--- sssd-1.16.1.orig/src/providers/ad/ad_subdomains.c 2020-10-21 17:20:00.722320287 +1300 ++++ sssd-1.16.1/src/providers/ad/ad_subdomains.c 2020-10-21 17:20:00.718320243 +1300 +@@ -291,6 +291,10 @@ + return ret; + } + ++ if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) { ++ ad_set_ssf_for_ldaps(ad_options->id); ++ } ++ + ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic, + ad_options->id->basic, + be_ctx->cdb, subdom_conf_path,