IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Require a minimum SASL security factor of 56"

Browse Source 
This reverts commit 3509545897.

We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.

The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.

We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.

Reviewed-By: François Cami <fcami@redhat.com>
This commit is contained in:
Alexander Bokovoy
2019-05-01 21:25:31 +03:00
committed by François Cami
parent e73fdcf8ba
commit 294aa3a333
5 changed files with 2 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
ipapython/ipaldap.py
View File

@@ -43,9 +43,7 @@ import six
# pylint: disable=ipa-forbidden-import
from ipalib import errors, x509, _
from ipalib.constants import (
LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
)
from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
# pylint: enable=ipa-forbidden-import
from ipaplatform.paths import paths
from ipapython.ipautil import format_netloc, CIDict
@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
def ldap_initialize(uri, cacertfile=None,
ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
def ldap_initialize(uri, cacertfile=None):
"""Wrapper around ldap.initialize()
The function undoes global and local ldap.conf settings that may cause
@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
locations, also known as system-wide trust store.
* Cert validation is enforced.
* SSLv2 and SSLv3 are disabled.
* Require a minimum SASL security factor of 56. That level ensures
data integrity and confidentiality. Although at least AES128 is
enforced pretty much everywhere, 56 is required for backwards
compatibility with systems that announce wrong SSF.
"""
conn = ldap.initialize(uri)
@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
if not uri.startswith('ldapi://'):
# require a minimum SSF for TCP connections, but don't lower SSF_MIN
# if the current value is already larger.
cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
if cur_min_ssf < ssf_min_threshold:
conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
if cacertfile:
if not os.path.isfile(cacertfile):
raise IOError(errno.ENOENT, cacertfile)