IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Allow insecure binds for migration

Browse Source 
Commit 5be9341fba disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.

This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.

Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
This commit is contained in:
Christian Heimes
2019-08-13 17:22:01 +02:00
parent 17c2e31fdc
commit a36556e106
2 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ipapython/ipaldap.py
View File

@@ -1206,12 +1206,14 @@ class LDAPClient:
return conn return conn
def simple_bind(self, bind_dn, bind_password, server_controls=None, def simple_bind(self, bind_dn, bind_password, server_controls=None,
client_controls=None): client_controls=None, insecure_bind=False):
""" """
Perform simple bind operation. Perform simple bind operation.
""" """
if self.protocol == 'ldap' and not self._start_tls and bind_password: if (self.protocol == 'ldap' and not self._start_tls and
# non-empty bind must use a secure connection bind_password and not insecure_bind):
# non-empty bind must use a secure connection unless
# insecure bind is explicitly enabled
raise ValueError('simple_bind over insecure LDAP connection') raise ValueError('simple_bind over insecure LDAP connection')
with self.error_handler(): with self.error_handler():
self._flush_schema() self._flush_schema()

9
ipaserver/plugins/migration.py
View File

@@ -901,20 +901,19 @@ migration process might be incomplete\n''')
return dict(result={}, failed={}, enabled=False, compat=True) return dict(result={}, failed={}, enabled=False, compat=True)
# connect to DS # connect to DS
cacert = None
if options.get('cacertfile') is not None: if options.get('cacertfile') is not None:
# store CA cert into file # store CA cert into file
tmp_ca_cert_f = write_tmp_file(options['cacertfile']) tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
cacert = tmp_ca_cert_f.name cacert = tmp_ca_cert_f.name
# start TLS connection # start TLS connection or STARTTLS
ds_ldap = LDAPClient(ldapuri, cacert=cacert) ds_ldap = LDAPClient(ldapuri, cacert=cacert, start_tls=True)
ds_ldap.simple_bind(options['binddn'], bindpw) ds_ldap.simple_bind(options['binddn'], bindpw)
tmp_ca_cert_f.close() tmp_ca_cert_f.close()
else: else:
ds_ldap = LDAPClient(ldapuri, cacert=cacert) ds_ldap = LDAPClient(ldapuri)
ds_ldap.simple_bind(options['binddn'], bindpw) ds_ldap.simple_bind(options['binddn'], bindpw, insecure_bind=True)
# check whether the compat plugin is enabled # check whether the compat plugin is enabled
if not options.get('compat'): if not options.get('compat'):