Require a minimum SASL security factor of 56

SSF_MINX 56 level ensures data integrity and confidentiality for SASL GSSAPI and SASL GSS SPNEGO connections. Although at least AES128 is enforced pretty much everywhere, 56 is required for backwards compatibility with systems that announce wrong SSF. Related: https://pagure.io/freeipa/issue/7140 Related: https://pagure.io/freeipa/issue/4580 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-02-05 15:19:43 +01:00
parent 1dfac4f5b7
commit 3509545897
5 changed files with 38 additions and 2 deletions
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -324,6 +324,8 @@ class DsInstance(service.Service):
        else:
            self.step("importing CA certificates from LDAP",
                      self.__import_ca_certs)
+        # set min SSF after DS is configured for TLS
+        self.step("require minimal SSF", self.__min_ssf)
        self.step("restarting directory server", self.__restart_instance)

        self.start_creation()
@@ -1241,6 +1243,9 @@ class DsInstance(service.Service):
            dm_password=self.dm_password
        )

+    def __min_ssf(self):
+        self._ldap_mod("min-ssf.ldif")
+
    def __add_sudo_binduser(self):
        self._ldap_mod("sudobind.ldif", self.sub_dict)