From 74d0248dcb69797d68dac6744aa2a17081dfdfab Mon Sep 17 00:00:00 2001 From: Justin Stephenson Date: Wed, 27 Sep 2023 15:11:50 -0400 Subject: [PATCH] ldap: Switch ldap_id_use_start_tls default to allow Resolves: https://github.com/SSSD/sssd/issues/6681 --- src/man/sssd-ldap.5.xml | 2 +- src/providers/ldap/ldap_opts.c | 2 +- src/tests/intg/ldap_local_override_test.py | 1 + src/tests/intg/test_enumeration.py | 1 + src/tests/intg/test_infopipe.py | 1 + src/tests/intg/test_ldap.py | 1 + src/tests/intg/test_memory_cache.py | 8 ++++++++ src/tests/intg/test_netgroup.py | 1 + src/tests/intg/test_pysss_nss_idmap.py | 1 + src/tests/intg/test_resolver.py | 1 + src/tests/intg/test_session_recording.py | 1 + src/tests/intg/test_ssh_pubkey.py | 1 + src/tests/intg/test_sssctl.py | 3 +++ src/tests/intg/test_sudo.py | 1 + src/tests/intg/test_ts_cache.py | 2 ++ src/tests/multihost/basic/test_ldapapi.py | 3 ++- 16 files changed, 27 insertions(+), 3 deletions(-) diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 18cc72075b4..19e2bf539e9 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -938,7 +938,7 @@ - Default: false + Default: allow diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c index a66a85d989f..ce10aa991c4 100644 --- a/src/providers/ldap/ldap_opts.c +++ b/src/providers/ldap/ldap_opts.c @@ -75,7 +75,7 @@ struct dp_option default_basic_opts[] = { { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_id_use_start_tls", DP_OPT_STRING, { "false" }, NULL_STRING }, + { "ldap_id_use_start_tls", DP_OPT_STRING, { "allow" }, NULL_STRING }, { "ldap_id_mapping", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, diff --git a/src/tests/intg/ldap_local_override_test.py b/src/tests/intg/ldap_local_override_test.py index dd153f68a9e..d5eb0403105 100644 --- a/src/tests/intg/ldap_local_override_test.py +++ b/src/tests/intg/ldap_local_override_test.py @@ -157,6 +157,7 @@ def prepare_sssd(request, ldap_conn, use_fully_qualified_names=False, [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py index 9c5775b6a8a..2561187f80f 100644 --- a/src/tests/intg/test_enumeration.py +++ b/src/tests/intg/test_enumeration.py @@ -143,6 +143,7 @@ def format_basic_conf(ldap_conn, schema): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow debug_level = 0xffff enumerate = true {schema_conf} diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py index f1f6c83f17a..a154650cd1e 100644 --- a/src/tests/intg/test_infopipe.py +++ b/src/tests/intg/test_infopipe.py @@ -213,6 +213,7 @@ def format_basic_conf(ldap_conn, schema, config): ldap_search_base = {ldap_conn.ds_inst.base_dn} ldap_user_extra_attrs = extraName:uid ldap_user_certificate = userCert + ldap_id_use_start_tls = allow [application/app] inherit_from = LDAP diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index 81c4f31397f..03330e1c706 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -128,6 +128,7 @@ def format_basic_conf(ldap_conn, schema): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow debug_level = 0xffff {schema_conf} id_provider = ldap diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py index b30c9024919..711648c7280 100644 --- a/src/tests/intg/test_memory_cache.py +++ b/src/tests/intg/test_memory_cache.py @@ -164,6 +164,7 @@ def disable_memcache_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -190,6 +191,7 @@ def disable_pwd_mc_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -216,6 +218,7 @@ def disable_grp_mc_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -242,6 +245,7 @@ def disable_initgr_mc_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -267,6 +271,7 @@ def sanity_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -292,6 +297,7 @@ def fqname_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -318,6 +324,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -346,6 +353,7 @@ def zero_timeout_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py index 56c742cca78..7ca3357f047 100644 --- a/src/tests/intg/test_netgroup.py +++ b/src/tests/intg/test_netgroup.py @@ -116,6 +116,7 @@ def format_basic_conf(ldap_conn, schema): auth_provider = ldap ldap_uri = {ldap_conn.ds_inst.ldap_url} ldap_search_base = {ldap_conn.ds_inst.base_dn} + ldap_id_use_start_tls = allow ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn} """).format(**locals()) diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py index fd714203f8e..75cf231dd26 100644 --- a/src/tests/intg/test_pysss_nss_idmap.py +++ b/src/tests/intg/test_pysss_nss_idmap.py @@ -91,6 +91,7 @@ def format_basic_conf(ldap_conn, ignore_unreadable_refs): ldap_default_bind_dn = {ldap_conn.ad_inst.admin_dn} ldap_default_authtok_type = password ldap_default_authtok = {ldap_conn.ad_inst.admin_pw} + ldap_id_use_start_tls = allow ldap_schema = ad ldap_id_mapping = true diff --git a/src/tests/intg/test_resolver.py b/src/tests/intg/test_resolver.py index 1b1a4949a35..34c7aff4752 100644 --- a/src/tests/intg/test_resolver.py +++ b/src/tests/intg/test_resolver.py @@ -121,6 +121,7 @@ def format_basic_conf(ldap_conn, schema): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow debug_level = 0xffff {schema_conf} id_provider = ldap diff --git a/src/tests/intg/test_session_recording.py b/src/tests/intg/test_session_recording.py index 15faf122897..6e6498510fc 100644 --- a/src/tests/intg/test_session_recording.py +++ b/src/tests/intg/test_session_recording.py @@ -149,6 +149,7 @@ def format_basic_conf(ldap_conn, schema): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow debug_level = 0xffff enumerate = true {schema_conf} diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py index 34bde1b31d4..a8f756451b5 100644 --- a/src/tests/intg/test_ssh_pubkey.py +++ b/src/tests/intg/test_ssh_pubkey.py @@ -140,6 +140,7 @@ def format_basic_conf(ldap_conn, schema, config): ldap_uri = {ldap_conn.ds_inst.ldap_url} ldap_search_base = {ldap_conn.ds_inst.base_dn} ldap_sudo_use_host_filter = false + ldap_id_use_start_tls = allow debug_level=10 ldap_user_certificate = userCertificate;binary """).format(**locals()) diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py index 60c216729fa..feb07d7120d 100644 --- a/src/tests/intg/test_sssctl.py +++ b/src/tests/intg/test_sssctl.py @@ -143,6 +143,7 @@ def sanity_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -169,6 +170,7 @@ def fqname_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -195,6 +197,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = allow ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap diff --git a/src/tests/intg/test_sudo.py b/src/tests/intg/test_sudo.py index ec85511da83..a9eb5e5c325 100644 --- a/src/tests/intg/test_sudo.py +++ b/src/tests/intg/test_sudo.py @@ -135,6 +135,7 @@ def format_basic_conf(ldap_conn, schema): ldap_search_base = {ldap_conn.ds_inst.base_dn} ldap_sudo_use_host_filter = false ldap_sudo_random_offset = 0 + ldap_id_use_start_tls = allow debug_level=10 """).format(**locals()) diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py index dbade2e20fe..eb028158a54 100644 --- a/src/tests/intg/test_ts_cache.py +++ b/src/tests/intg/test_ts_cache.py @@ -161,6 +161,7 @@ def setup_rfc2307bis(request, ldap_conn): auth_provider = ldap sudo_provider = ldap ldap_group_object_class = groupOfNames + ldap_id_use_start_tls = allow ldap_uri = {ldap_conn.ds_inst.ldap_url} ldap_search_base = {ldap_conn.ds_inst.base_dn} """).format(**locals()) @@ -186,6 +187,7 @@ def setup_rfc2307(request, ldap_conn): id_provider = ldap auth_provider = ldap sudo_provider = ldap + ldap_id_use_start_tls = allow ldap_uri = {ldap_conn.ds_inst.ldap_url} ldap_search_base = {ldap_conn.ds_inst.base_dn} """).format(**locals()) diff --git a/src/tests/multihost/basic/test_ldapapi.py b/src/tests/multihost/basic/test_ldapapi.py index 3cdc35e1b42..269b16befed 100644 --- a/src/tests/multihost/basic/test_ldapapi.py +++ b/src/tests/multihost/basic/test_ldapapi.py @@ -17,7 +17,8 @@ def set_ldap_uri(multihost): tools = sssdTools(multihost.master[0]) domain_name = tools.get_domain_section_name() master = sssdTools(multihost.master[0]) - domain_params = {'ldap_uri': ldap_uri} + domain_params = {'ldap_uri': ldap_uri, + 'ldap_id_use_start_tls': 'allow'} master.sssd_conf(f'domain/{domain_name}', domain_params) multihost.master[0].service_sssd('restart')