diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 20ef8c37524..c2602ba0d9e 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -39,9 +39,10 @@ to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel. - If the LDAP server is used only as an identity provider, an encrypted - channel is not needed. Please refer to ldap_access_filter - config option for more information about using LDAP as an access provider. + Even if the LDAP server is used only as an identity provider, an encrypted + channel is strongly recommended. Please refer to the + ldap_access_filter config option for more information + about using LDAP as an access provider. @@ -912,9 +913,10 @@ Specifies that the id_provider connection must also use tls to protect the channel. + true is strongly recommended for security reasons. - Default: false + Default: true diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c index bcf029920c8..37616caadb7 100644 --- a/src/providers/ldap/ldap_opts.c +++ b/src/providers/ldap/ldap_opts.c @@ -75,7 +75,7 @@ struct dp_option default_basic_opts[] = { { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_id_mapping", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, diff --git a/src/tests/intg/ldap_local_override_test.py b/src/tests/intg/ldap_local_override_test.py index dd153f68a9e..a602c3bc054 100644 --- a/src/tests/intg/ldap_local_override_test.py +++ b/src/tests/intg/ldap_local_override_test.py @@ -157,6 +157,7 @@ def prepare_sssd(request, ldap_conn, use_fully_qualified_names=False, [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py index 9c5775b6a8a..ed0c27dca30 100644 --- a/src/tests/intg/test_enumeration.py +++ b/src/tests/intg/test_enumeration.py @@ -143,6 +143,7 @@ def format_basic_conf(ldap_conn, schema): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false debug_level = 0xffff enumerate = true {schema_conf} diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py index f1f6c83f17a..e1c2aac3264 100644 --- a/src/tests/intg/test_infopipe.py +++ b/src/tests/intg/test_infopipe.py @@ -211,6 +211,7 @@ def format_basic_conf(ldap_conn, schema, config): id_provider = ldap ldap_uri = {ldap_conn.ds_inst.ldap_url} ldap_search_base = {ldap_conn.ds_inst.base_dn} + ldap_id_use_start_tls = false ldap_user_extra_attrs = extraName:uid ldap_user_certificate = userCert diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index 81c4f31397f..d0e3640b93b 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -128,6 +128,7 @@ def format_basic_conf(ldap_conn, schema): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false debug_level = 0xffff {schema_conf} id_provider = ldap diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py index b30c9024919..dd8e565b8c9 100644 --- a/src/tests/intg/test_memory_cache.py +++ b/src/tests/intg/test_memory_cache.py @@ -164,6 +164,7 @@ def disable_memcache_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -190,6 +191,7 @@ def disable_pwd_mc_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -216,6 +218,7 @@ def disable_grp_mc_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -242,6 +245,7 @@ def disable_initgr_mc_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -267,6 +271,7 @@ def sanity_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -292,6 +297,7 @@ def fqname_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -318,6 +324,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -346,6 +353,7 @@ def zero_timeout_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py index 56c742cca78..1cea42f746a 100644 --- a/src/tests/intg/test_netgroup.py +++ b/src/tests/intg/test_netgroup.py @@ -117,6 +117,7 @@ def format_basic_conf(ldap_conn, schema): ldap_uri = {ldap_conn.ds_inst.ldap_url} ldap_search_base = {ldap_conn.ds_inst.base_dn} ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn} + ldap_id_use_start_tls = false """).format(**locals()) diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py index fd714203f8e..c67c2bba00c 100644 --- a/src/tests/intg/test_pysss_nss_idmap.py +++ b/src/tests/intg/test_pysss_nss_idmap.py @@ -91,6 +91,7 @@ def format_basic_conf(ldap_conn, ignore_unreadable_refs): ldap_default_bind_dn = {ldap_conn.ad_inst.admin_dn} ldap_default_authtok_type = password ldap_default_authtok = {ldap_conn.ad_inst.admin_pw} + ldap_id_use_start_tls = false ldap_schema = ad ldap_id_mapping = true diff --git a/src/tests/intg/test_resolver.py b/src/tests/intg/test_resolver.py index 1b1a4949a35..072d41e7bfd 100644 --- a/src/tests/intg/test_resolver.py +++ b/src/tests/intg/test_resolver.py @@ -121,6 +121,7 @@ def format_basic_conf(ldap_conn, schema): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false debug_level = 0xffff {schema_conf} id_provider = ldap diff --git a/src/tests/intg/test_session_recording.py b/src/tests/intg/test_session_recording.py index 15faf122897..97f48f2a17a 100644 --- a/src/tests/intg/test_session_recording.py +++ b/src/tests/intg/test_session_recording.py @@ -149,6 +149,7 @@ def format_basic_conf(ldap_conn, schema): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false debug_level = 0xffff enumerate = true {schema_conf} diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py index 34bde1b31d4..56bccbdffd3 100644 --- a/src/tests/intg/test_ssh_pubkey.py +++ b/src/tests/intg/test_ssh_pubkey.py @@ -140,6 +140,7 @@ def format_basic_conf(ldap_conn, schema, config): ldap_uri = {ldap_conn.ds_inst.ldap_url} ldap_search_base = {ldap_conn.ds_inst.base_dn} ldap_sudo_use_host_filter = false + ldap_id_use_start_tls = false debug_level=10 ldap_user_certificate = userCertificate;binary """).format(**locals()) diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py index 60c216729fa..ac200f26825 100644 --- a/src/tests/intg/test_sssctl.py +++ b/src/tests/intg/test_sssctl.py @@ -143,6 +143,7 @@ def sanity_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -169,6 +170,7 @@ def fqname_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap @@ -195,6 +197,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn): [domain/LDAP] ldap_auth_disable_tls_never_use_in_production = true + ldap_id_use_start_tls = false ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap diff --git a/src/tests/intg/test_sudo.py b/src/tests/intg/test_sudo.py index ec85511da83..baeb92a0c6d 100644 --- a/src/tests/intg/test_sudo.py +++ b/src/tests/intg/test_sudo.py @@ -135,6 +135,7 @@ def format_basic_conf(ldap_conn, schema): ldap_search_base = {ldap_conn.ds_inst.base_dn} ldap_sudo_use_host_filter = false ldap_sudo_random_offset = 0 + ldap_id_use_start_tls = false debug_level=10 """).format(**locals()) diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py index dbade2e20fe..5bc53994bc6 100644 --- a/src/tests/intg/test_ts_cache.py +++ b/src/tests/intg/test_ts_cache.py @@ -163,6 +163,7 @@ def setup_rfc2307bis(request, ldap_conn): ldap_group_object_class = groupOfNames ldap_uri = {ldap_conn.ds_inst.ldap_url} ldap_search_base = {ldap_conn.ds_inst.base_dn} + ldap_id_use_start_tls = false """).format(**locals()) create_conf_fixture(request, conf) create_sssd_fixture(request) @@ -188,6 +189,7 @@ def setup_rfc2307(request, ldap_conn): sudo_provider = ldap ldap_uri = {ldap_conn.ds_inst.ldap_url} ldap_search_base = {ldap_conn.ds_inst.base_dn} + ldap_id_use_start_tls = false """).format(**locals()) create_conf_fixture(request, conf) create_sssd_fixture(request) diff --git a/src/tests/multihost/basic/test_ldapapi.py b/src/tests/multihost/basic/test_ldapapi.py index 3cdc35e1b42..fe58830f23a 100644 --- a/src/tests/multihost/basic/test_ldapapi.py +++ b/src/tests/multihost/basic/test_ldapapi.py @@ -17,7 +17,8 @@ def set_ldap_uri(multihost): tools = sssdTools(multihost.master[0]) domain_name = tools.get_domain_section_name() master = sssdTools(multihost.master[0]) - domain_params = {'ldap_uri': ldap_uri} + domain_params = {'ldap_uri': ldap_uri, + 'ldap_id_use_start_tls': 'false'} master.sssd_conf(f'domain/{domain_name}', domain_params) multihost.master[0].service_sssd('restart')