mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Use sane default settings for ldap connections
LDAP connections no longer depend on sane settings in global ldap.conf and use good default settings for cert validation, CA, and SASL canonization. https://pagure.io/freeipa/issue/7418 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Christian Heimes
parent
9b8bb85eca
commit
9a9c8ced30
@ -1572,7 +1572,7 @@ def cert_summary(msg, certs, indent=' '):
|
|||||||
|
|
||||||
def get_certs_from_ldap(server, base_dn, realm, ca_enabled):
|
def get_certs_from_ldap(server, base_dn, realm, ca_enabled):
|
||||||
ldap_uri = ipaldap.get_ldap_uri(server)
|
ldap_uri = ipaldap.get_ldap_uri(server)
|
||||||
conn = ipaldap.LDAPClient(ldap_uri, sasl_nocanon=True)
|
conn = ipaldap.LDAPClient(ldap_uri)
|
||||||
try:
|
try:
|
||||||
conn.gssapi_bind()
|
conn.gssapi_bind()
|
||||||
certs = certstore.get_ca_certs(conn, base_dn, realm, ca_enabled)
|
certs = certstore.get_ca_certs(conn, base_dn, realm, ca_enabled)
|
||||||
|
|||||||
@ -20,6 +20,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
import binascii
|
import binascii
|
||||||
|
import errno
|
||||||
import logging
|
import logging
|
||||||
import time
|
import time
|
||||||
import datetime
|
import datetime
|
||||||
@ -87,28 +88,34 @@ if six.PY2 and hasattr(ldap, 'LDAPBytesWarning'):
|
|||||||
|
|
||||||
def ldap_initialize(uri, cacertfile=None):
|
def ldap_initialize(uri, cacertfile=None):
|
||||||
"""Wrapper around ldap.initialize()
|
"""Wrapper around ldap.initialize()
|
||||||
|
|
||||||
|
The function undoes global and local ldap.conf settings that may cause
|
||||||
|
issues or reduce security:
|
||||||
|
|
||||||
|
* Canonization of SASL host names is disabled.
|
||||||
|
* With cacertfile=None, the connection uses OpenSSL's default verify
|
||||||
|
locations, also known as system-wide trust store.
|
||||||
|
* Cert validation is enforced.
|
||||||
|
* SSLv2 and SSLv3 are disabled.
|
||||||
"""
|
"""
|
||||||
conn = ldap.initialize(uri)
|
conn = ldap.initialize(uri)
|
||||||
|
|
||||||
|
# Do not perform reverse DNS lookups to canonicalize SASL host names
|
||||||
|
conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
|
||||||
|
|
||||||
if not uri.startswith('ldapi://'):
|
if not uri.startswith('ldapi://'):
|
||||||
if cacertfile:
|
if cacertfile:
|
||||||
|
if not os.path.isfile(cacertfile):
|
||||||
|
raise IOError(errno.ENOENT, cacertfile)
|
||||||
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacertfile)
|
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, cacertfile)
|
||||||
newctx = True
|
|
||||||
else:
|
|
||||||
newctx = False
|
|
||||||
|
|
||||||
req_cert = conn.get_option(ldap.OPT_X_TLS_REQUIRE_CERT)
|
# SSLv3 and SSLv2 are insecure
|
||||||
if req_cert != ldap.OPT_X_TLS_DEMAND:
|
conn.set_option(ldap.OPT_X_TLS_PROTOCOL_MIN, 0x301) # TLS 1.0
|
||||||
# libldap defaults to cert validation, but the default can be
|
# libldap defaults to cert validation, but the default can be
|
||||||
# overridden in global or user local ldap.conf.
|
# overridden in global or user local ldap.conf.
|
||||||
conn.set_option(
|
conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
|
||||||
ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND
|
# reinitialize TLS context to materialize settings
|
||||||
)
|
conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
|
||||||
newctx = True
|
|
||||||
|
|
||||||
# reinitialize TLS context
|
|
||||||
if newctx:
|
|
||||||
conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
|
|
||||||
|
|
||||||
return conn
|
return conn
|
||||||
|
|
||||||
@ -733,7 +740,7 @@ class LDAPClient(object):
|
|||||||
|
|
||||||
def __init__(self, ldap_uri, start_tls=False, force_schema_updates=False,
|
def __init__(self, ldap_uri, start_tls=False, force_schema_updates=False,
|
||||||
no_schema=False, decode_attrs=True, cacert=None,
|
no_schema=False, decode_attrs=True, cacert=None,
|
||||||
sasl_nocanon=False):
|
sasl_nocanon=True):
|
||||||
"""Create LDAPClient object.
|
"""Create LDAPClient object.
|
||||||
|
|
||||||
:param ldap_uri: The LDAP URI to connect to
|
:param ldap_uri: The LDAP URI to connect to
|
||||||
@ -1120,8 +1127,10 @@ class LDAPClient(object):
|
|||||||
def _connect(self):
|
def _connect(self):
|
||||||
with self.error_handler():
|
with self.error_handler():
|
||||||
conn = ldap_initialize(self.ldap_uri, cacertfile=self._cacert)
|
conn = ldap_initialize(self.ldap_uri, cacertfile=self._cacert)
|
||||||
if self._sasl_nocanon:
|
# SASL_NOCANON is set to ON in Fedora's default ldap.conf and
|
||||||
conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
|
# in the ldap_initialize() function.
|
||||||
|
if not self._sasl_nocanon:
|
||||||
|
conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_OFF)
|
||||||
|
|
||||||
if self._start_tls:
|
if self._start_tls:
|
||||||
conn.start_tls_s()
|
conn.start_tls_s()
|
||||||
|
|||||||
@ -728,11 +728,8 @@ class DomainValidator(object):
|
|||||||
conn = ipaldap.LDAPClient(
|
conn = ipaldap.LDAPClient(
|
||||||
ldap_uri,
|
ldap_uri,
|
||||||
no_schema=True,
|
no_schema=True,
|
||||||
decode_attrs=False,
|
decode_attrs=False
|
||||||
sasl_nocanon=True)
|
)
|
||||||
# sasl_nocanon used to avoid hard requirement for PTR
|
|
||||||
# records pointing back to the same host name
|
|
||||||
|
|
||||||
conn.gssapi_bind()
|
conn.gssapi_bind()
|
||||||
|
|
||||||
if basedn is None:
|
if basedn is None:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user