Apply sane LDAP settings to C code

Common LDAP code from ipa-getkeytab and ipa-join are moved to libutil.a.
The common ipa_ldap_init() and ipa_tls_ssl_init() set the same options
as ldap_initialize()

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

util/Makefile.am

@@ -7,6 +7,8 @@ noinst_LTLIBRARIES = libutil.la
 libutil_la_SOURCES =	ipa_krb5.c \
 			ipa_krb5.h \
 			ipa_mspac.h \
+			ipa_ldap.c \
+			ipa_ldap.h \
 			ipa_pwd.c \
 			ipa_pwd.h \
 			ipa_pwd_ntlm.c

util/ipa_ldap.c

@@ -0,0 +1,118 @@
+/* Authors: Christian Heimes <cheimes@redhat.com>
+ *          Simo Sorce <ssorce@redhat.com>
+ *
+ * Copyright (C) 2018  Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+
+#include "ipa_ldap.h"
+
+/** Initialize LDAP context
+ *
+ * Initializes an LDAP context for a given LDAP URI. LDAP protocol version
+ * and SASL canonization are disabled.
+ *
+ */
+int ipa_ldap_init(LDAP **ld, const char *ldap_uri)
+{
+    int ret = 0;
+    int version = LDAP_VERSION3;
+    ret = ldap_initialize(ld, ldap_uri);
+
+    if (ret != LDAP_SUCCESS) {
+        fprintf(
+            stderr,
+            _("Unable to initialize connection to ldap server %1$s: %1$s\n"),
+            ldap_uri,
+            ldap_err2string(ret)
+        );
+        return ret;
+    }
+
+    /* StartTLS and other features need LDAP protocol version 3 */
+    ret = ldap_set_option(*ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+    if (ret != LDAP_SUCCESS) {
+        fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
+        return ret;
+    }
+
+#ifdef LDAP_OPT_X_SASL_NOCANON
+    /* Don't do DNS canonization */
+    ret = ldap_set_option(*ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+    if (ret != LDAP_SUCCESS) {
+        fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+        return ret;
+    }
+#endif
+
+    return ret;
+}
+
+/** Configure TLS/SSL and perform StartTLS for ldap://
+ *
+ * The LDAP connection is configured for secure TLS.
+ *
+ */
+int ipa_tls_ssl_init(LDAP *ld, const char *ldap_uri,
+                     const char *ca_cert_file)
+{
+    int ret = LDAP_SUCCESS;
+    int tls_demand = LDAP_OPT_X_TLS_DEMAND;
+    int tlsv1_0 = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
+    int newctx = 0;  /* client context */
+
+    if (strncmp(ldap_uri, SCHEMA_LDAPI, sizeof(SCHEMA_LDAPI) - 1) == 0) {
+        /* Nothing to do for LDAPI */
+        return ret;
+    }
+
+    ret = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
+    if (ret != LDAP_OPT_SUCCESS) {
+        fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CACERTFILE\n"));
+        return ret;
+    }
+    /* Require a valid certificate */
+    ret = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &tls_demand);
+    if (ret != LDAP_OPT_SUCCESS) {
+        fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_REQUIRE_CERT\n"));
+        return ret;
+    }
+    /* Disable SSLv2 and SSLv3 */
+    ret = ldap_set_option(ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, &tlsv1_0);
+    if (ret != LDAP_OPT_SUCCESS) {
+        fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_PROTOCOL_MIN\n"));
+        return ret;
+    }
+    /* Apply TLS settings and create new client context */
+    ret = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &newctx);
+    if (ret != LDAP_OPT_SUCCESS) {
+        fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_NEWCTX\n"));
+        return ret;
+    }
+
+    if (strncmp(ldap_uri, SCHEMA_LDAP, sizeof(SCHEMA_LDAP) - 1) == 0) {
+        ret = ldap_start_tls_s(ld, NULL, NULL);
+        if (ret != LDAP_SUCCESS) {
+            fprintf(stderr, _("Unable to initialize STARTTLS session\n"));
+            return ret;
+        }
+    }
+    return ret;
+}

util/ipa_ldap.h

@@ -0,0 +1,39 @@
+/* Authors: Christian Heimes <cheimes@redhat.com>
+ *          Simo Sorce <ssorce@redhat.com>
+ *
+ * Copyright (C) 2018  Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <ldap.h>
+
+#define DEFAULT_CA_CERT_FILE "/etc/ipa/ca.crt"
+
+#define LDAP_SASL_EXTERNAL "EXTERNAL"
+#define LDAP_SASL_GSSAPI "GSSAPI"
+
+#define SCHEMA_LDAPI "ldapi://"
+#define SCHEMA_LDAP "ldap://"
+#define SCHEMA_LDAPS "ldaps://"
+
+#ifndef _
+#include <libintl.h>
+#define _(STRING) gettext(STRING)
+#endif
+
+int ipa_ldap_init(LDAP **ld, const char *ldap_uri);
+int ipa_tls_ssl_init(LDAP *ld, const char *ldap_uri,
+                     const char *ca_cert_file);