summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--server/man/sssd-ldap.5.xml43
-rw-r--r--server/providers/ldap/ldap_auth.c37
-rw-r--r--server/providers/ldap/ldap_id.c38
-rw-r--r--server/providers/ldap/sdap.c60
-rw-r--r--server/providers/ldap/sdap.h4
5 files changed, 115 insertions, 67 deletions
diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml
index 4c7e07b6..b5efb11d 100644
--- a/server/man/sssd-ldap.5.xml
+++ b/server/man/sssd-ldap.5.xml
@@ -35,6 +35,13 @@
<para>
There can be more than one LDAP domain configured with SSSD.
</para>
+ <para>
+ If you want to authenticate against an LDAP server TLS/SSL is
+ required. <command>sssd</command> <emphasis>does not</emphasis>
+ support authentication over an unencrypted channel. If the LDAP
+ server is used only as an identify provider, an encrypted channel
+ is not needed.
+ </para>
</refsect1>
<refsect1 id='file-format'>
@@ -439,6 +446,42 @@
<emphasis>hard</emphasis> = Same as
<quote>demand</quote>
</para>
+ <para>
+ Default: hard
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_tls_cacert (string)</term>
+ <listitem>
+ <para>
+ Specifies the file that contains certificates for
+ all of the Certificate Authorities
+ <command>sssd</command> will recognize.
+ </para>
+ <para>
+ Default: use OpenLDAP defaults, typically in
+ /etc/openldap/ldap.conf
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_tls_cacertdir (string)</term>
+ <listitem>
+ <para>
+ Specifies the path of a directory that contains
+ Certificate Authority certificates in separate
+ individual files. Typically the file names need to
+ be the hash of the certificate followed by '.0'.
+ If available <command>cacertdir_rehash</command>
+ can be used to create the correct names.
+ </para>
+ <para>
+ Default: use OpenLDAP defaults, typically in
+ /etc/openldap/ldap.conf
+ </para>
</listitem>
</varlistentry>
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index a64a27f7..430ac216 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -629,9 +629,7 @@ int sssm_ldap_auth_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_data)
{
- int ldap_opt_x_tls_require_cert;
struct sdap_auth_ctx *ctx;
- char *tls_reqcert;
int ret;
ctx = talloc(bectx, struct sdap_auth_ctx);
@@ -643,37 +641,10 @@ int sssm_ldap_auth_init(struct be_ctx *bectx,
&ctx->opts);
if (ret != EOK) goto done;
- tls_reqcert = sdap_go_get_string(ctx->opts->basic, SDAP_TLS_REQCERT);
- if (tls_reqcert) {
- if (strcasecmp(tls_reqcert, "never") == 0) {
- ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_NEVER;
- }
- else if (strcasecmp(tls_reqcert, "allow") == 0) {
- ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_ALLOW;
- }
- else if (strcasecmp(tls_reqcert, "try") == 0) {
- ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_TRY;
- }
- else if (strcasecmp(tls_reqcert, "demand") == 0) {
- ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
- }
- else if (strcasecmp(tls_reqcert, "hard") == 0) {
- ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD;
- }
- else {
- DEBUG(1, ("Unknown value for tls_reqcert.\n"));
- ret = EINVAL;
- goto done;
- }
- /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option,
- * because the SSL/TLS context is initialized from this value. */
- ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
- &ldap_opt_x_tls_require_cert);
- if (ret != LDAP_OPT_SUCCESS) {
- DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
- ret = EIO;
- goto done;
- }
+ ret = setup_tls_config(ctx->opts->basic);
+ if (ret != EOK) {
+ DEBUG(1, ("setup_tls_config failed [%d][%s].\n", ret, strerror(ret)));
+ goto done;
}
*ops = &sdap_auth_ops;
diff --git a/server/providers/ldap/ldap_id.c b/server/providers/ldap/ldap_id.c
index 4a06298f..12fb476b 100644
--- a/server/providers/ldap/ldap_id.c
+++ b/server/providers/ldap/ldap_id.c
@@ -1301,10 +1301,8 @@ int sssm_ldap_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_data)
{
- int ldap_opt_x_tls_require_cert;
struct tevent_timer *enum_task;
struct sdap_id_ctx *ctx;
- char *tls_reqcert;
int ret;
ctx = talloc_zero(bectx, struct sdap_id_ctx);
@@ -1313,38 +1311,12 @@ int sssm_ldap_init(struct be_ctx *bectx,
ctx->be = bectx;
ret = sdap_get_options(ctx, bectx->cdb, bectx->conf_path, &ctx->opts);
+ if (ret != EOK) goto done;
- tls_reqcert = sdap_go_get_string(ctx->opts->basic, SDAP_TLS_REQCERT);
- if (tls_reqcert) {
- if (strcasecmp(tls_reqcert, "never") == 0) {
- ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_NEVER;
- }
- else if (strcasecmp(tls_reqcert, "allow") == 0) {
- ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_ALLOW;
- }
- else if (strcasecmp(tls_reqcert, "try") == 0) {
- ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_TRY;
- }
- else if (strcasecmp(tls_reqcert, "demand") == 0) {
- ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
- }
- else if (strcasecmp(tls_reqcert, "hard") == 0) {
- ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD;
- }
- else {
- DEBUG(1, ("Unknown value for tls_reqcert.\n"));
- ret = EINVAL;
- goto done;
- }
- /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option,
- * because the SSL/TLS context is initialized from this value. */
- ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
- &ldap_opt_x_tls_require_cert);
- if (ret != LDAP_OPT_SUCCESS) {
- DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
- ret = EIO;
- goto done;
- }
+ ret = setup_tls_config(ctx->opts->basic);
+ if (ret != EOK) {
+ DEBUG(1, ("setup_tls_config failed [%d][%s].\n", ret, strerror(ret)));
+ goto done;
}
/* set up enumeration task */
diff --git a/server/providers/ldap/sdap.c b/server/providers/ldap/sdap.c
index eded6eed..07e48c18 100644
--- a/server/providers/ldap/sdap.c
+++ b/server/providers/ldap/sdap.c
@@ -49,7 +49,9 @@ struct sdap_gen_opts default_basic_opts[] = {
{ "ldap_offline_timeout", SDAP_NUMBER, { .number = 60 }, NULL_NUMBER },
{ "ldap_force_upper_case_realm", SDAP_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_enumeration_refresh_timeout", SDAP_NUMBER, { .number = 300 }, NULL_NUMBER },
- { "ldap_stale_time", SDAP_NUMBER, { .number = 1800 }, NULL_NUMBER }
+ { "ldap_stale_time", SDAP_NUMBER, { .number = 1800 }, NULL_NUMBER },
+ { "ldap_tls_cacert", SDAP_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_tls_cacertdir", SDAP_STRING, NULL_STRING, NULL_STRING }
};
struct sdap_id_map rfc2307_user_map[] = {
@@ -543,3 +545,59 @@ int sdap_get_msg_dn(TALLOC_CTX *memctx, struct sdap_handle *sh,
return EOK;
}
+errno_t setup_tls_config(struct sdap_gen_opts *basic_opts)
+{
+ int ret;
+ int ldap_opt_x_tls_require_cert;
+ const char *tls_opt;
+ tls_opt = sdap_go_get_string(basic_opts, SDAP_TLS_REQCERT);
+ if (tls_opt) {
+ if (strcasecmp(tls_opt, "never") == 0) {
+ ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_NEVER;
+ }
+ else if (strcasecmp(tls_opt, "allow") == 0) {
+ ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_ALLOW;
+ }
+ else if (strcasecmp(tls_opt, "try") == 0) {
+ ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_TRY;
+ }
+ else if (strcasecmp(tls_opt, "demand") == 0) {
+ ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
+ }
+ else if (strcasecmp(tls_opt, "hard") == 0) {
+ ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD;
+ }
+ else {
+ DEBUG(1, ("Unknown value for tls_reqcert.\n"));
+ return EINVAL;
+ }
+ /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option,
+ * because the SSL/TLS context is initialized from this value. */
+ ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
+ &ldap_opt_x_tls_require_cert);
+ if (ret != LDAP_OPT_SUCCESS) {
+ DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
+ return EIO;
+ }
+ }
+
+ tls_opt = sdap_go_get_string(basic_opts, SDAP_TLS_CACERT);
+ if (tls_opt) {
+ ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_opt);
+ if (ret != LDAP_OPT_SUCCESS) {
+ DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
+ return EIO;
+ }
+ }
+
+ tls_opt = sdap_go_get_string(basic_opts, SDAP_TLS_CACERTDIR);
+ if (tls_opt) {
+ ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, tls_opt);
+ if (ret != LDAP_OPT_SUCCESS) {
+ DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret)));
+ return EIO;
+ }
+ }
+
+ return EOK;
+}
diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h
index 7168a5a0..8a932d3d 100644
--- a/server/providers/ldap/sdap.h
+++ b/server/providers/ldap/sdap.h
@@ -88,6 +88,8 @@ enum sdap_basic_opt {
SDAP_FORCE_UPPER_CASE_REALM,
SDAP_ENUM_REFRESH_TIMEOUT,
SDAP_STALE_TIME,
+ SDAP_TLS_CACERT,
+ SDAP_TLS_CACERTDIR,
SDAP_OPTS_BASIC /* opts counter */
};
@@ -207,3 +209,5 @@ int sdap_parse_group(TALLOC_CTX *memctx, struct sdap_options *opts,
int sdap_get_msg_dn(TALLOC_CTX *memctx, struct sdap_handle *sh,
struct sdap_msg *sm, char **_dn);
+
+errno_t setup_tls_config(struct sdap_gen_opts *basic_opts);