Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf.

This ensures a correct configuration in case a user has created their own openldap config file and set SASL_SECPROPS to something bad. Note that this doesn't modify the 389-ds setting which by default is 0. https://fedorahosted.org/freeipa/ticket/2021
2025-02-25 18:55:28 -06:00 · 2011-12-06 17:36:15 -05:00
parent 01929015e0
commit e6cdcad8df
1 changed files with 9 additions and 0 deletions
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -450,6 +450,15 @@ class ldap2(CrudBackend, Encoder):
            conn = _ldap.initialize(self.ldap_uri)
            if self.ldap_uri.startswith('ldapi://') and ccache:
                conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
+            minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN)
+            maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX)
+            # Always connect with at least an SSF of 56, confidentiality
+            # This also protects us from a broken ldap.conf
+            if minssf < 56:
+                minssf = 56
+                conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf)
+                if maxssf < minssf:
+                    conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
            if ccache is not None:
                os.environ['KRB5CCNAME'] = ccache
                conn.sasl_interactive_bind_s('', SASL_AUTH)