IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Apply sane LDAP settings to C code

Browse Source 
Common LDAP code from ipa-getkeytab and ipa-join are moved to libutil.a.
The common ipa_ldap_init() and ipa_tls_ssl_init() set the same options
as ldap_initialize()

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Christian Heimes 2018-02-21 15:32:07 +01:00
parent 9a9c8ced30
commit 829998b19b
7 changed files with 174 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
client/Makefile.am
View File

@ -80,6 +80,7 @@ ipa_join_SOURCES = \
$(NULL) $(NULL)
ipa_join_LDADD = \ ipa_join_LDADD = \
$(top_builddir)/util/libutil.la \
$(KRB5_LIBS) \ $(KRB5_LIBS) \
$(LDAP_LIBS) \ $(LDAP_LIBS) \
$(SASL_LIBS) \ $(SASL_LIBS) \

70
client/ipa-getkeytab.c
View File

@ -43,14 +43,8 @@
#include "ipa_krb5.h" #include "ipa_krb5.h"
#include "ipa_asn1.h" #include "ipa_asn1.h"
#include "ipa-client-common.h" #include "ipa-client-common.h"
#include "ipa_ldap.h"
#define DEFAULT_CA_CERT_FILE "/etc/ipa/ca.crt"
#define LDAP_SASL_EXTERNAL "EXTERNAL"
#define LDAP_SASL_GSSAPI "GSSAPI"
#define SCHEMA_LDAP "ldap://"
#define SCHEMA_LDAPS "ldaps://"
static int check_sasl_mech(const char *mech) static int check_sasl_mech(const char *mech)
{ {
@ -178,42 +172,6 @@ static int ipa_server_to_uri(const char *servername, const char *mech,
return 0; return 0;
} }
static int ipa_ldap_init(LDAP **ld, const char *ldap_uri)
{
int rc = 0;
rc = ldap_initialize(ld, ldap_uri);
return rc;
}
static int ipa_tls_ssl_init(LDAP *ld, const char *ldap_uri)
{
int ret = LDAP_SUCCESS;
int tls_hard = LDAP_OPT_X_TLS_HARD;
int tls_demand = LDAP_OPT_X_TLS_DEMAND;
if (strncmp(ldap_uri, SCHEMA_LDAP, sizeof(SCHEMA_LDAP) - 1) == 0) {
ret = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &tls_demand);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_REQUIRE_CERT\n"));
return ret;
}
ret = ldap_start_tls_s(ld, NULL, NULL);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to initialize STARTTLS session\n"));
return ret;
}
} else if (strncmp(ldap_uri, SCHEMA_LDAPS, sizeof(SCHEMA_LDAPS) - 1) == 0) {
ret = ldap_set_option(ld, LDAP_OPT_X_TLS, &tls_hard);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS\n"));
return ret;
}
}
return ret;
}
static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ, static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw, const char *bind_dn, const char *bind_pw,
const char *mech, const char *ca_cert_file, const char *mech, const char *ca_cert_file,
@ -221,20 +179,12 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
{ {
char *msg = NULL; char *msg = NULL;
struct berval bv; struct berval bv;
int version;
LDAP *ld; LDAP *ld;
int ret; int ret;
/* TODO: support referrals ? */ /* TODO: support referrals ? */
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CERTIFICATE\n"));
return ret;
}
ret = ipa_ldap_init(&ld, ldap_uri); ret = ipa_ldap_init(&ld, ldap_uri);
if (ret != LDAP_SUCCESS) { if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to init connection to %s\n"), ldap_uri);
return ret; return ret;
} }
@ -243,23 +193,7 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
return LDAP_OPERATIONS_ERROR; return LDAP_OPERATIONS_ERROR;
} }
#ifdef LDAP_OPT_X_SASL_NOCANON ret = ipa_tls_ssl_init(ld, ldap_uri, ca_cert_file);
/* Don't do DNS canonicalization */
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto done;
}
#endif
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
goto done;
}
ret = ipa_tls_ssl_init(ld, ldap_uri);
if (ret != LDAP_OPT_SUCCESS) { if (ret != LDAP_OPT_SUCCESS) {
goto done; goto done;
} }

37
client/ipa-join.c
View File

@ -39,13 +39,12 @@
#include "xmlrpc-c/client.h" #include "xmlrpc-c/client.h"
#include "ipa-client-common.h" #include "ipa-client-common.h"
#include "ipa_ldap.h"
#define NAME "ipa-join" #define NAME "ipa-join"
#define JOIN_OID "2.16.840.1.113730.3.8.10.3" #define JOIN_OID "2.16.840.1.113730.3.8.10.3"
#define CAFILE "/etc/ipa/ca.crt"
#define IPA_CONFIG "/etc/ipa/default.conf" #define IPA_CONFIG "/etc/ipa/default.conf"
char * read_config_file(const char *filename); char * read_config_file(const char *filename);
@ -200,8 +199,6 @@ callRPC(char * user_agent,
static LDAP * static LDAP *
connect_ldap(const char *hostname, const char *binddn, const char *bindpw) { connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
LDAP *ld = NULL; LDAP *ld = NULL;
int ssl = LDAP_OPT_X_TLS_HARD;
int version = LDAP_VERSION3;
int ret; int ret;
int ldapdebug = 0; int ldapdebug = 0;
char *uri; char *uri;
@ -215,40 +212,23 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
} }
} }
if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) != LDAP_OPT_SUCCESS)
goto fail;
ret = asprintf(&uri, "ldaps://%s:636", hostname); ret = asprintf(&uri, "ldaps://%s:636", hostname);
if (ret == -1) { if (ret == -1) {
fprintf(stderr, _("Out of memory!")); fprintf(stderr, _("Out of memory!"));
goto fail; goto fail;
} }
ret = ldap_initialize(&ld, uri); ret = ipa_ldap_init(&ld, uri);
free(uri); if (ret != LDAP_SUCCESS) {
if(ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to initialize connection to ldap server: %s"),
ldap_err2string(ret));
goto fail; goto fail;
} }
ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) { if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to enable SSL in LDAP\n")); fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
goto fail; goto fail;
} }
free(uri);
/* Don't do DNS canonicalization */ uri = NULL;
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto fail;
}
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP version\n"));
goto fail;
}
if (bindpw) { if (bindpw) {
bindpw_bv.bv_val = discard_const(bindpw); bindpw_bv.bv_val = discard_const(bindpw);
@ -276,6 +256,9 @@ fail:
if (ld != NULL) { if (ld != NULL) {
ldap_unbind_ext(ld, NULL, NULL); ldap_unbind_ext(ld, NULL, NULL);
} }
if (uri != NULL) {
free(uri);
}
return NULL; return NULL;
} }

3
ipatests/util.py
View File

@ -859,7 +859,8 @@ def get_entity_keytab(principal, options=None):
yield keytab_filename yield keytab_filename
finally: finally:
os.remove(keytab_filename) if os.path.isfile(keytab_filename):
os.remove(keytab_filename)
@contextmanager @contextmanager

2
util/Makefile.am
View File

@ -7,6 +7,8 @@ noinst_LTLIBRARIES = libutil.la
libutil_la_SOURCES = ipa_krb5.c \ libutil_la_SOURCES = ipa_krb5.c \
ipa_krb5.h \ ipa_krb5.h \
ipa_mspac.h \ ipa_mspac.h \
ipa_ldap.c \
ipa_ldap.h \
ipa_pwd.c \ ipa_pwd.c \
ipa_pwd.h \ ipa_pwd.h \
ipa_pwd_ntlm.c ipa_pwd_ntlm.c

118
util/ipa_ldap.c Normal file
View File

@ -0,0 +1,118 @@
/* Authors: Christian Heimes <cheimes@redhat.com>
* Simo Sorce <ssorce@redhat.com>
*
* Copyright (C) 2018 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include "ipa_ldap.h"
/** Initialize LDAP context
*
* Initializes an LDAP context for a given LDAP URI. LDAP protocol version
* and SASL canonization are disabled.
*
*/
int ipa_ldap_init(LDAP **ld, const char *ldap_uri)
{
int ret = 0;
int version = LDAP_VERSION3;
ret = ldap_initialize(ld, ldap_uri);
if (ret != LDAP_SUCCESS) {
fprintf(
stderr,
_("Unable to initialize connection to ldap server %1$s: %1$s\n"),
ldap_uri,
ldap_err2string(ret)
);
return ret;
}
/* StartTLS and other features need LDAP protocol version 3 */
ret = ldap_set_option(*ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
return ret;
}
#ifdef LDAP_OPT_X_SASL_NOCANON
/* Don't do DNS canonization */
ret = ldap_set_option(*ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
return ret;
}
#endif
return ret;
}
/** Configure TLS/SSL and perform StartTLS for ldap://
*
* The LDAP connection is configured for secure TLS.
*
*/
int ipa_tls_ssl_init(LDAP *ld, const char *ldap_uri,
const char *ca_cert_file)
{
int ret = LDAP_SUCCESS;
int tls_demand = LDAP_OPT_X_TLS_DEMAND;
int tlsv1_0 = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
int newctx = 0; /* client context */
if (strncmp(ldap_uri, SCHEMA_LDAPI, sizeof(SCHEMA_LDAPI) - 1) == 0) {
/* Nothing to do for LDAPI */
return ret;
}
ret = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CACERTFILE\n"));
return ret;
}
/* Require a valid certificate */
ret = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &tls_demand);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_REQUIRE_CERT\n"));
return ret;
}
/* Disable SSLv2 and SSLv3 */
ret = ldap_set_option(ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, &tlsv1_0);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_PROTOCOL_MIN\n"));
return ret;
}
/* Apply TLS settings and create new client context */
ret = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &newctx);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_NEWCTX\n"));
return ret;
}
if (strncmp(ldap_uri, SCHEMA_LDAP, sizeof(SCHEMA_LDAP) - 1) == 0) {
ret = ldap_start_tls_s(ld, NULL, NULL);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to initialize STARTTLS session\n"));
return ret;
}
}
return ret;
}

39
util/ipa_ldap.h Normal file
View File

@ -0,0 +1,39 @@
/* Authors: Christian Heimes <cheimes@redhat.com>
* Simo Sorce <ssorce@redhat.com>
*
* Copyright (C) 2018 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <ldap.h>
#define DEFAULT_CA_CERT_FILE "/etc/ipa/ca.crt"
#define LDAP_SASL_EXTERNAL "EXTERNAL"
#define LDAP_SASL_GSSAPI "GSSAPI"
#define SCHEMA_LDAPI "ldapi://"
#define SCHEMA_LDAP "ldap://"
#define SCHEMA_LDAPS "ldaps://"
#ifndef _
#include <libintl.h>
#define _(STRING) gettext(STRING)
#endif
int ipa_ldap_init(LDAP **ld, const char *ldap_uri);
int ipa_tls_ssl_init(LDAP *ld, const char *ldap_uri,
const char *ca_cert_file);