Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change ldap_id_use_start_tls default to True #6963

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions src/man/sssd-ldap.5.xml
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,10 @@
to authenticate against an LDAP server either TLS/SSL or LDAPS
is required. <command>sssd</command> <emphasis>does
not</emphasis> support authentication over an unencrypted channel.
If the LDAP server is used only as an identity provider, an encrypted
channel is not needed. Please refer to <quote>ldap_access_filter</quote>
config option for more information about using LDAP as an access provider.
Even if the LDAP server is used only as an identity provider, an encrypted
channel is strongly recommended. Please refer to the
<quote>ldap_access_filter</quote> config option for more information
about using LDAP as an access provider.
</para>
</refsect1>

Expand Down Expand Up @@ -912,9 +913,10 @@
<para>
Specifies that the id_provider connection must also
use <systemitem class="protocol">tls</systemitem> to protect the channel.
<emphasis>true</emphasis> is strongly recommended for security reasons.
</para>
<para>
Default: false
Default: true
</para>
</listitem>
</varlistentry>
Expand Down
2 changes: 1 addition & 1 deletion src/providers/ldap/ldap_opts.c
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_id_mapping", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
Expand Down
1 change: 1 addition & 0 deletions src/tests/intg/ldap_local_override_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ def prepare_sssd(request, ldap_conn, use_fully_qualified_names=False,

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand Down
1 change: 1 addition & 0 deletions src/tests/intg/test_enumeration.py
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,7 @@ def format_basic_conf(ldap_conn, schema):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
debug_level = 0xffff
enumerate = true
{schema_conf}
Expand Down
1 change: 1 addition & 0 deletions src/tests/intg/test_infopipe.py
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,7 @@ def format_basic_conf(ldap_conn, schema, config):
id_provider = ldap
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
ldap_id_use_start_tls = false
ldap_user_extra_attrs = extraName:uid
ldap_user_certificate = userCert

Expand Down
1 change: 1 addition & 0 deletions src/tests/intg/test_ldap.py
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ def format_basic_conf(ldap_conn, schema):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
debug_level = 0xffff
{schema_conf}
id_provider = ldap
Expand Down
8 changes: 8 additions & 0 deletions src/tests/intg/test_memory_cache.py
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ def disable_memcache_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand All @@ -190,6 +191,7 @@ def disable_pwd_mc_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand All @@ -216,6 +218,7 @@ def disable_grp_mc_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand All @@ -242,6 +245,7 @@ def disable_initgr_mc_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand All @@ -267,6 +271,7 @@ def sanity_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand All @@ -292,6 +297,7 @@ def fqname_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand All @@ -318,6 +324,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand Down Expand Up @@ -346,6 +353,7 @@ def zero_timeout_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand Down
1 change: 1 addition & 0 deletions src/tests/intg/test_netgroup.py
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,7 @@ def format_basic_conf(ldap_conn, schema):
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn}
ldap_id_use_start_tls = false
""").format(**locals())


Expand Down
1 change: 1 addition & 0 deletions src/tests/intg/test_pysss_nss_idmap.py
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ def format_basic_conf(ldap_conn, ignore_unreadable_refs):
ldap_default_bind_dn = {ldap_conn.ad_inst.admin_dn}
ldap_default_authtok_type = password
ldap_default_authtok = {ldap_conn.ad_inst.admin_pw}
ldap_id_use_start_tls = false

ldap_schema = ad
ldap_id_mapping = true
Expand Down
1 change: 1 addition & 0 deletions src/tests/intg/test_resolver.py
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ def format_basic_conf(ldap_conn, schema):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
debug_level = 0xffff
{schema_conf}
id_provider = ldap
Expand Down
1 change: 1 addition & 0 deletions src/tests/intg/test_session_recording.py
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ def format_basic_conf(ldap_conn, schema):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
debug_level = 0xffff
enumerate = true
{schema_conf}
Expand Down
1 change: 1 addition & 0 deletions src/tests/intg/test_ssh_pubkey.py
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ def format_basic_conf(ldap_conn, schema, config):
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
ldap_sudo_use_host_filter = false
ldap_id_use_start_tls = false
debug_level=10
ldap_user_certificate = userCertificate;binary
""").format(**locals())
Expand Down
3 changes: 3 additions & 0 deletions src/tests/intg/test_sssctl.py
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,7 @@ def sanity_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand All @@ -169,6 +170,7 @@ def fqname_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand All @@ -195,6 +197,7 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn):

[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
ldap_id_use_start_tls = false
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
Expand Down
1 change: 1 addition & 0 deletions src/tests/intg/test_sudo.py
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,7 @@ def format_basic_conf(ldap_conn, schema):
ldap_search_base = {ldap_conn.ds_inst.base_dn}
ldap_sudo_use_host_filter = false
ldap_sudo_random_offset = 0
ldap_id_use_start_tls = false
debug_level=10
""").format(**locals())

Expand Down
2 changes: 2 additions & 0 deletions src/tests/intg/test_ts_cache.py
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ def setup_rfc2307bis(request, ldap_conn):
ldap_group_object_class = groupOfNames
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
ldap_id_use_start_tls = false
""").format(**locals())
create_conf_fixture(request, conf)
create_sssd_fixture(request)
Expand All @@ -188,6 +189,7 @@ def setup_rfc2307(request, ldap_conn):
sudo_provider = ldap
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
ldap_id_use_start_tls = false
""").format(**locals())
create_conf_fixture(request, conf)
create_sssd_fixture(request)
Expand Down
3 changes: 2 additions & 1 deletion src/tests/multihost/basic/test_ldapapi.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@ def set_ldap_uri(multihost):
tools = sssdTools(multihost.master[0])
domain_name = tools.get_domain_section_name()
master = sssdTools(multihost.master[0])
domain_params = {'ldap_uri': ldap_uri}
domain_params = {'ldap_uri': ldap_uri,
'ldap_id_use_start_tls': 'false'}
Fixed Show fixed Hide fixed
master.sssd_conf(f'domain/{domain_name}', domain_params)
multihost.master[0].service_sssd('restart')

Expand Down
Loading