Ubuntu
sssd package

Merge ~3v1n0/ubuntu/+source/sssd:ubuntu/focal into ubuntu/+source/sssd:ubuntu/focal

Proposed by Marco Trevisan (Treviño) on 2020-12-16

Status:

Superseded

Proposed branch:

~3v1n0/ubuntu/+source/sssd:ubuntu/focal

Merge into:

ubuntu/+source/sssd:ubuntu/focal

Diff against target:

1160 lines (+1013/-2)

12 files modified

debian/changelog (+40/-0)
debian/control (+5/-2)
debian/nss-database-pem-exporter/README.md (+13/-0)
debian/nss-database-pem-exporter/nss-database-pem-exporter.c (+179/-0)
debian/patches/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch (+40/-0)
debian/patches/lp-1868703-02-ad-add-ad_use_ldaps.patch (+412/-0)
debian/patches/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch (+174/-0)
debian/patches/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch (+68/-0)
debian/patches/series (+4/-0)
debian/rules (+13/-0)
debian/sssd-common.install (+1/-0)
debian/sssd-common.postinst (+64/-0)

High

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Sergio Durigan Junior	2020-12-16	Pending
Dimitri John Ledkov	2020-12-16	Pending
Review via email: mp+395410@code.launchpad.net

This proposal has been superseded by a proposal from 2020-12-16.

Description of the change

* debian/{control,rules}: Compile using libcrypto as crypto backend
  (LP: #1905790)
* debian/nss-database-pem-exporter: Add to sssd-common and run on postinst.
  When upgrading from previous versions (that were compiled using the NSS
  crypto backend) we need to migrate the trusted CA certificates that the
  user may have added to the SSSD's NSS system database (that defaults to
  /etc/pki/nssdb).
  To do this, and not to introduce a new dependency on libnss3-tools
  (which is not shipped by default, other than making the parsing not
  working in some scenarios) I've added a small C tool that we compile and
  install as part of the sssd-common package which is able to get all the
  trusted CA certificates for a NSS database and export them in PEM
  format.
  The nss-database-pem-exporter is then used in the postinst script where
  we now:
    1. Read the SSSD settings
    2. Convert all the certificates in the configured NSS databases
    3. Store them all, appending them to the (new) default location
      (/etc/sssd/pki/sssd_auth_ca_db.pem)
    4. Disables the configured locations if pointing to NSS dbs (needed or
      we'll leave the configuration with broken values).
  At this point nss-database-pem-exporter is then the only binary in the
  package that still depends on NSS libraries. (LP: #1905790)

Unmerged commits

12b101c... by Marco Trevisan (Treviño) on 2020-12-16

Update changelog

1efa142... by Marco Trevisan (Treviño) on 2020-12-16

debian/control: Update Maintainer to Ubuntu devs

5abb018... by Marco Trevisan (Treviño) on 2020-12-16

debian: Add nss-database-pem-exporter tool to the package and run it on postinst

When upgrading from previous versions (that were compiled using the NSS
crypto backend) we need to migrate the trusted CA certificates that the
user may have added to the SSSD's NSS system database (that defaults to
/etc/pki/nssdb).

To do this, and not to introduce a new dependency on libnss3-tools
(which is not shipped by default, other than making the parsing not
working in some scenarios) I've added a small C tool that we compile and
install as part of the sssd-common package which is able to get all the
trusted CA certificates for a NSS database and export them in PEM
format.

The nss-database-pem-exporter is then used in the postinst script where
we now:
1. Read the SSSD settings
2. Convert all the certificates in the configured NSS databases
3. Store them all, appending them to the (new) default location
(/etc/sssd/pki/sssd_auth_ca_db.pem)
4. Disables the configured locations if pointing to NSS dbs (needed or
we'll leave the configuration with broken values).

At this point nss-database-pem-exporter is then the only binary in the
package that still depends on NSS libraries.

LP: #1905790

42776ad... by Marco Trevisan (Treviño) on 2020-12-16

debian/{control,rules}: Compile using libcrypto as crypto backend

LP: #1905790

1e71d90... by Matthew Ruffell on 2020-11-09

2.2.3-3ubuntu0.1 (patches unapplied)

Imported using git-ubuntu import.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Marco Trevisan (Treviño)

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index 2202352..d9d580d 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,43 @@
++sssd (2.2.3-3ubuntu0.2) UNRELEASED; urgency=medium
++
++  * debian/{control,rules}: Compile using libcrypto as crypto backend
++    (LP: #1905790)
++  * debian/nss-database-pem-exporter: Add to sssd-common and run on postinst.
++    When upgrading from previous versions (that were compiled using the NSS
++    crypto backend) we need to migrate the trusted CA certificates that the
++    user may have added to the SSSD's NSS system database (that defaults to
++    /etc/pki/nssdb).
++    To do this, and not to introduce a new dependency on libnss3-tools
++    (which is not shipped by default, other than making the parsing not
++    working in some scenarios) I've added a small C tool that we compile and
++    install as part of the sssd-common package which is able to get all the
++    trusted CA certificates for a NSS database and export them in PEM
++    format.
++    The nss-database-pem-exporter is then used in the postinst script where
++    we now:
++     1. Read the SSSD settings
++     2. Convert all the certificates in the configured NSS databases
++     3. Store them all, appending them to the (new) default location
++        (/etc/sssd/pki/sssd_auth_ca_db.pem)
++     4. Disables the configured locations if pointing to NSS dbs (needed or
++        we'll leave the configuration with broken values).
++    At this point nss-database-pem-exporter is then the only binary in the
++    package that still depends on NSS libraries. (LP: #1905790)
++  * debian/control: Update Maintainer to Ubuntu devs
++
++ -- Marco Trevisan (Treviño) <marco@ubuntu.com>  Wed, 16 Dec 2020 04:56:07 +0100
++
++sssd (2.2.3-3ubuntu0.1) focal; urgency=medium
++
++  * Enable support for "ad_use_ldaps" for new Active Directory
++    requirement ADV190023 (LP: #1868703):
++    - d/p/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
++    - d/p/lp-1868703-02-ad-add-ad_use_ldaps.patch
++    - d/p/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch
++    - d/p/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch
++
++ -- Matthew Ruffell <matthew.ruffell@canonical.com>  Tue, 10 Nov 2020 11:59:08 +1300
++
  sssd (2.2.3-3) unstable; urgency=medium
    * libnss-sss: Fix a typo in adding the NSS entry for automount.
 diff --git a/debian/control b/debian/control
 index 648a240..d4652d2 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: sssd
  Section: utils
  Priority: optional
--Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>
  Uploaders: Timo Aaltonen <tjaalton@debian.org>,
   Dominik George <natureshadow@debian.org>
  Build-Depends:
@@ -36,8 +37,8 @@ Build-Depends:
   libnl-3-dev [linux-any],
   libnl-route-3-dev [linux-any],
   libnspr4-dev,
-- libnss-wrapper,
   libnss3-dev,
++ libp11-kit-dev,
   libpam0g-dev | libpam-dev,
   libpcre3-dev,
   libpopt-dev,
@@ -45,6 +46,8 @@ Build-Depends:
   libselinux1-dev [linux-any],
   libsemanage1-dev [linux-any],
   libsmbclient-dev,
++ libsofthsm2 <!nocheck>,
++ libssl-dev,
   libsystemd-dev [linux-any],
   libtalloc-dev,
   libtdb-dev,
 diff --git a/debian/nss-database-pem-exporter/README.md b/debian/nss-database-pem-exporter/README.md
 new file mode 100644
 index 0000000..919d5cd
 --- /dev/null
 +++ b/debian/nss-database-pem-exporter/README.md
@@ -0,0 +1,13 @@
++# NSS Database Certificates exporter
++
++A simple tool to export all the trusted CA certificates in a NSS database
++(aka nssdb, usually in `~/.pki/nssdb` or `/etc/pki/nssdb`) as a chained cert
++PEM cert file.
++
++    ./nss-database-pem-exporter > chained-certs.pem
++
++You can verify the parsed content using:
++
++    openssl crl2pkcs7 -nocrl -certfile chained-certs.pem | openssl pkcs7 -print_certs -text -noout
++
++It defaults to `/etc/pki/nssdb`, use `NSS_DATABASE` env variable to override it.
 diff --git a/debian/nss-database-pem-exporter/nss-database-pem-exporter.c b/debian/nss-database-pem-exporter/nss-database-pem-exporter.c
 new file mode 100644
 index 0000000..e3afebc
 --- /dev/null
 +++ b/debian/nss-database-pem-exporter/nss-database-pem-exporter.c
@@ -0,0 +1,179 @@
++/*
++ * This file is part of the nss-database-pem-exporter distribution.
++ * Copyright (c) 2020 Marco Trevisan <marco.trevisan@canonical.com>.
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, version 3.
++ *
++ * This program is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include <assert.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++#include <nss.h>
++#include <nss/base64.h>
++#include <nss/cert.h>
++#include <nss/certdb.h>
++#include <nss/pk11func.h>
++
++#define NSS_DATABASE_PATH "/etc/pki/nssdb"
++#define OPEN_FLAGS (NSS_INIT_READONLY | NSS_INIT_NOROOTINIT | NSS_INIT_FORCEOPEN)
++
++#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
++#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
++
++static SECStatus
++print_ascii_certificate (CERTCertDBHandle      *handle,
++                         const CERTCertificate *cert)
++{
++  CERTCertList *certs;
++  CERTCertListNode *node;
++
++  certs = CERT_CreateSubjectCertList (NULL, handle, &cert->derSubject,
++                                      PR_Now (), PR_FALSE);
++
++  for (node = CERT_LIST_HEAD (certs); !CERT_LIST_END (node, certs);
++       node = CERT_LIST_NEXT (node))
++    {
++      CERTCertificate *c = node->cert;
++      char *ascii_cert = BTOA_DataToAscii (c->derCert.data, c->derCert.len);
++
++      fprintf (stdout, NS_CERT_HEADER "\n");
++      fprintf (stdout, "%s\n", ascii_cert);
++      fprintf (stdout, NS_CERT_TRAILER "\n");
++
++      free (ascii_cert);
++    }
++
++  if (certs)
++    CERT_DestroyCertList (certs);
++
++  return SECSuccess;
++}
++
++const char *
++get_cert_name (CERTCertListNode *node)
++{
++  CERTCertificate * cert = node->cert;
++  const char *name = node->appData;
++
++  if (name && *name != '\0')
++    return name;
++
++  name = cert->nickname;
++  if (name && *name != '\0')
++    return name;
++
++  name = cert->emailAddr;
++  if (name && *name != '\0')
++    return name;
++
++  return NULL;
++}
++
++bool
++check_trusted_flags (unsigned int flags)
++{
++  if (!(flags & CERTDB_VALID_CA))
++    return false;
++
++  /* Just return true here in any case (to handle the 'c' flag)? */
++  return (flags & (CERTDB_TRUSTED |
++                   CERTDB_TRUSTED_CA |
++                   CERTDB_TRUSTED_CLIENT_CA |
++                   CERTDB_GOVT_APPROVED_CA)) != 0;
++}
++
++bool
++cert_is_trusted (const CERTCertificate *cert)
++{
++  CERTCertTrust *trust = cert->trust;
++
++  if (!trust)
++    return false;
++
++  if (check_trusted_flags (trust->sslFlags))
++    return true;
++
++  if (check_trusted_flags (trust->emailFlags))
++    return true;
++
++  if (check_trusted_flags (trust->objectSigningFlags))
++    return true;
++
++  return false;
++}
++
++static SECStatus
++print_trusted_certificates (CERTCertDBHandle *handle)
++{
++  CERTCertList *list;
++  CERTCertListNode *node;
++
++  list = PK11_ListCerts (PK11CertListCA, NULL);
++  for (node = CERT_LIST_HEAD (list); !CERT_LIST_END (node, list);
++       node = CERT_LIST_NEXT (node))
++    {
++      CERTCertificate *cert = node->cert;
++      const char *cert_name = get_cert_name (node);
++
++      if (!(cert->nsCertType & NS_CERT_TYPE_CA))
++        continue;
++
++      fprintf (stderr, "Found CA certificate %s\n", cert_name);
++      if (!cert)
++        continue;
++
++      if (!cert_is_trusted (cert))
++        {
++          fprintf (stderr, "Certificate %s is not a trusted CA certificate, ignoring\n",
++                   cert_name);
++          continue;
++        }
++
++      print_ascii_certificate (handle, cert);
++    }
++
++  if (list)
++    CERT_DestroyCertList (list);
++  return SECSuccess;
++}
++
++int
++main (void)
++{
++  CERTCertDBHandle *certHandle;
++  const char *nssdb;
++  int exit_status = EXIT_SUCCESS;
++
++  nssdb = getenv ("NSS_DATABASE");
++  if (!nssdb || !*nssdb)
++    nssdb = NSS_DATABASE_PATH;
++
++  if (NSS_Initialize (nssdb, NULL, NULL,
++                      "secmod.db", OPEN_FLAGS) != SECSuccess)
++    {
++      fprintf (stderr, "Failed to open database %s\n", nssdb);
++      return EXIT_FAILURE;
++    }
++
++  certHandle = CERT_GetDefaultCertDB ();
++  if (print_trusted_certificates (certHandle) != SECSuccess)
++    exit_status = EXIT_FAILURE;
++
++  if (NSS_Shutdown () != SECSuccess)
++    return EXIT_FAILURE;
++
++  return exit_status;
++}
 diff --git a/debian/patches/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch b/debian/patches/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
 new file mode 100644
 index 0000000..0d62fc5
 --- /dev/null
 +++ b/debian/patches/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
@@ -0,0 +1,40 @@
++Description: ad: allow booleans for ad_inherit_opts_if_needed()
++Author: Sumit Bose <sbose@redhat.com>
++From: Matthew Ruffell <matthew.ruffell@canonical.com>
++Origin: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
++Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
++Bug-Ubuntu: https://launchpad.net/bugs/1868703
++
++Index: sssd-2.2.3/src/providers/ad/ad_common.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ad/ad_common.c	2020-10-12 17:03:20.688186858 +1300
+++++ sssd-2.2.3/src/providers/ad/ad_common.c	2020-10-12 17:03:20.684186803 +1300
++@@ -1479,9 +1479,26 @@
++     const char *parent_val = NULL;
++     char *dummy = NULL;
++     char *option_list[2] = { NULL, NULL };
+++    bool is_default = true;
++
++-    parent_val = dp_opt_get_cstring(parent_opts, opt_id);
++-    if (parent_val != NULL) {
+++    switch (parent_opts[opt_id].type) {
+++    case DP_OPT_STRING:
+++        parent_val = dp_opt_get_cstring(parent_opts, opt_id);
+++        break;
+++    case DP_OPT_BOOL:
+++        /* For booleans it is hard to say if the option is set or not since
+++         * both possible values are valid ones. So we check if the value is
+++         * different from the default and skip if it is the default. In this
+++         * case the sub-domain option would either be the default as well or
+++         * manully set and in both cases we do not have to change it. */
+++        is_default = (parent_opts[opt_id].val.boolean
+++                                == parent_opts[opt_id].def_val.boolean);
+++        break;
+++    default:
+++        DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n");
+++    }
+++
+++    if (parent_val != NULL || !is_default) {
++         ret = confdb_get_string(cdb, NULL, subdom_conf_path,
++                                 parent_opts[opt_id].opt_name, NULL, &dummy);
++         if (ret != EOK) {
 diff --git a/debian/patches/lp-1868703-02-ad-add-ad_use_ldaps.patch b/debian/patches/lp-1868703-02-ad-add-ad_use_ldaps.patch
 new file mode 100644
 index 0000000..d5d2831
 --- /dev/null
 +++ b/debian/patches/lp-1868703-02-ad-add-ad_use_ldaps.patch
@@ -0,0 +1,412 @@
++Description: ad: add ad_use_ldaps
++Author: Sumit Bose <sbose@redhat.com>
++From: Matthew Ruffell <matthew.ruffell@canonical.com>
++Origin: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
++Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
++Bug-Ubuntu: https://launchpad.net/bugs/1868703
++
++Index: sssd-2.2.3/src/config/SSSDConfig/__init__.py.in
++===================================================================
++--- sssd-2.2.3.orig/src/config/SSSDConfig/__init__.py.in	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/config/SSSDConfig/__init__.py.in	2020-10-12 17:03:42.796491375 +1300
++@@ -252,6 +252,7 @@
++     'ad_site' : _('a particular site to be used by the client'),
++     'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
++     'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
+++    'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
++
++     # [provider/krb5]
++     'krb5_kdcip' : _('Kerberos server address'),
++Index: sssd-2.2.3/src/config/cfg_rules.ini
++===================================================================
++--- sssd-2.2.3.orig/src/config/cfg_rules.ini	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/config/cfg_rules.ini	2020-10-12 17:03:42.796491375 +1300
++@@ -464,6 +464,7 @@
++ option = ad_maximum_machine_account_password_age
++ option = ad_server
++ option = ad_site
+++option = ad_use_ldaps
++
++ # IPA provider specific options
++ option = ipa_anchor_uuid
++Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf
++===================================================================
++--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ad.conf	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf	2020-10-12 17:03:42.796491375 +1300
++@@ -20,6 +20,7 @@
++ ad_site = str, None, false
++ ad_maximum_machine_account_password_age = int, None, false
++ ad_machine_account_password_renewal_opts = str, None, false
+++ad_use_ldaps = bool, None, false
++ ldap_uri = str, None, false
++ ldap_backup_uri = str, None, false
++ ldap_search_base = str, None, false
++Index: sssd-2.2.3/src/man/sssd-ad.5.xml
++===================================================================
++--- sssd-2.2.3.orig/src/man/sssd-ad.5.xml	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/man/sssd-ad.5.xml	2020-10-12 17:03:42.796491375 +1300
++@@ -1016,6 +1016,26 @@
++                 </varlistentry>
++
++                 <varlistentry>
+++                    <term>ad_use_ldaps (bool)</term>
+++                    <listitem>
+++                        <para>
+++                            By default SSSD uses the plain LDAP port 389 and the
+++                            Global Catalog port 3628. If this option is set to
+++                            True SSSD will use the LDAPS port 636 and Global
+++                            Catalog port 3629 with LDAPS protection. Since AD
+++                            does not allow to have multiple encryption layers on
+++                            a single connection and we still want to use
+++                            SASL/GSSAPI or SASL/GSS-SPNEGO for authentication
+++                            the SASL security property maxssf is set to 0 (zero)
+++                            for those connections.
+++                        </para>
+++                        <para>
+++                            Default: False
+++                        </para>
+++                    </listitem>
+++                </varlistentry>
+++
+++                <varlistentry>
++                     <term>dyndns_update (boolean)</term>
++                     <listitem>
++                         <para>
++Index: sssd-2.2.3/src/providers/ad/ad_common.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ad/ad_common.c	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/providers/ad/ad_common.c	2020-10-12 17:03:42.796491375 +1300
++@@ -729,6 +729,7 @@
++                  const char *ad_gc_service,
++                  const char *ad_domain,
++                  bool use_kdcinfo,
+++                 bool ad_use_ldaps,
++                  size_t n_lookahead_primary,
++                  size_t n_lookahead_backup,
++                  struct ad_service **_service)
++@@ -746,6 +747,16 @@
++         goto done;
++     }
++
+++    if (ad_use_ldaps) {
+++        service->ldap_scheme = "ldaps";
+++        service->port = LDAPS_PORT;
+++        service->gc_port = AD_GC_LDAPS_PORT;
+++    } else {
+++        service->ldap_scheme = "ldap";
+++        service->port = LDAP_PORT;
+++        service->gc_port = AD_GC_PORT;
+++    }
+++
++     service->sdap = talloc_zero(service, struct sdap_service);
++     service->gc = talloc_zero(service, struct sdap_service);
++     if (!service->sdap || !service->gc) {
++@@ -927,7 +938,8 @@
++         goto done;
++     }
++
++-    new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);
+++    new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme,
+++                                                        srv_name);
++     if (!new_uri) {
++         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");
++         ret = ENOMEM;
++@@ -935,7 +947,7 @@
++     }
++     DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);
++
++-    sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
+++    sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port);
++     if (sockaddr == NULL) {
++         DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
++         ret = EIO;
++@@ -951,8 +963,12 @@
++     talloc_zfree(service->gc->uri);
++     talloc_zfree(service->gc->sockaddr);
++     if (sdata && sdata->gc) {
++-        new_port = fo_get_server_port(server);
++-        new_port = (new_port == 0) ? AD_GC_PORT : new_port;
+++        if (service->gc_port == AD_GC_LDAPS_PORT) {
+++            new_port = service->gc_port;
+++        } else {
+++            new_port = fo_get_server_port(server);
+++            new_port = (new_port == 0) ? service->gc_port : new_port;
+++        }
++
++         service->gc->uri = talloc_asprintf(service->gc, "%s:%d",
++                                            new_uri, new_port);
++Index: sssd-2.2.3/src/providers/ad/ad_common.h
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ad/ad_common.h	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/providers/ad/ad_common.h	2020-10-12 17:03:42.796491375 +1300
++@@ -29,7 +29,8 @@
++ #define AD_SERVICE_NAME    "AD"
++ #define AD_GC_SERVICE_NAME "AD_GC"
++ /* The port the Global Catalog runs on */
++-#define AD_GC_PORT      3268
+++#define AD_GC_PORT         3268
+++#define AD_GC_LDAPS_PORT   3269
++
++ #define AD_AT_OBJECT_SID "objectSID"
++ #define AD_AT_DNS_DOMAIN "DnsDomain"
++@@ -67,6 +68,7 @@
++     AD_KRB5_CONFD_PATH,
++     AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
++     AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
+++    AD_USE_LDAPS,
++
++     AD_OPTS_BASIC /* opts counter */
++ };
++@@ -82,6 +84,9 @@
++     struct sdap_service *sdap;
++     struct sdap_service *gc;
++     struct krb5_service *krb5_service;
+++    const char *ldap_scheme;
+++    int port;
+++    int gc_port;
++ };
++
++ struct ad_options {
++@@ -147,6 +152,7 @@
++                  const char *ad_gc_service,
++                  const char *ad_domain,
++                  bool use_kdcinfo,
+++                 bool ad_use_ldaps,
++                  size_t n_lookahead_primary,
++                  size_t n_lookahead_backup,
++                  struct ad_service **_service);
++Index: sssd-2.2.3/src/providers/ad/ad_init.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ad/ad_init.c	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/providers/ad/ad_init.c	2020-10-12 17:03:42.796491375 +1300
++@@ -138,6 +138,7 @@
++     char *ad_servers = NULL;
++     char *ad_backup_servers = NULL;
++     char *ad_realm;
+++    bool ad_use_ldaps = false;
++     errno_t ret;
++
++     ad_sasl_initialize();
++@@ -154,12 +155,14 @@
++     ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
++     ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
++     ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
+++    ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
++
++     /* Set up the failover service */
++     ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
++                            ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
++                            dp_opt_get_string(ad_options->basic, AD_DOMAIN),
++                            false, /* will be set in ad_get_auth_options() */
+++                           ad_use_ldaps,
++                            (size_t) -1,
++                            (size_t) -1,
++                            &ad_options->service);
++@@ -184,11 +187,13 @@
++     const char *ad_site_override;
++     bool sites_enabled;
++     errno_t ret;
+++    bool ad_use_ldaps;
++
++     hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
++     ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
++     ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
++     sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);
+++    ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
++
++
++     if (!sites_enabled) {
++@@ -205,7 +210,8 @@
++     srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
++                                      default_host_dbs, ad_options->id,
++                                      hostname, ad_domain,
++-                                     ad_site_override);
+++                                     ad_site_override,
+++                                     ad_use_ldaps);
++     if (srv_ctx == NULL) {
++         DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
++         return ENOMEM;
++Index: sssd-2.2.3/src/providers/ad/ad_opts.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ad/ad_opts.c	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/providers/ad/ad_opts.c	2020-10-12 17:03:42.796491375 +1300
++@@ -54,6 +54,7 @@
++     { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
++     { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
++     { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
+++    { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
++     DP_OPTION_TERMINATOR
++ };
++
++Index: sssd-2.2.3/src/providers/ad/ad_srv.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ad/ad_srv.c	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/providers/ad/ad_srv.c	2020-10-12 17:03:42.796491375 +1300
++@@ -244,6 +244,7 @@
++     enum host_database *host_db;
++     struct sdap_options *opts;
++     const char *ad_domain;
+++    bool ad_use_ldaps;
++     struct fo_server_info *dcs;
++     size_t num_dcs;
++     size_t dc_index;
++@@ -264,6 +265,7 @@
++                                            enum host_database *host_db,
++                                            struct sdap_options *opts,
++                                            const char *ad_domain,
+++                                           bool ad_use_ldaps,
++                                            struct fo_server_info *dcs,
++                                            size_t num_dcs)
++ {
++@@ -288,6 +290,7 @@
++     state->host_db = host_db;
++     state->opts = opts;
++     state->ad_domain = ad_domain;
+++    state->ad_use_ldaps = ad_use_ldaps;
++     state->dcs = dcs;
++     state->num_dcs = num_dcs;
++
++@@ -331,8 +334,11 @@
++     subreq = sdap_connect_host_send(state, state->ev, state->opts,
++                                     state->be_res->resolv,
++                                     state->be_res->family_order,
++-                                    state->host_db, "ldap", state->dc.host,
++-                                    state->dc.port, false);
+++                                    state->host_db,
+++                                    state->ad_use_ldaps ? "ldaps" : "ldap",
+++                                    state->dc.host,
+++                                    state->ad_use_ldaps ? 636 : state->dc.port,
+++                                    false);
++     if (subreq == NULL) {
++         ret = ENOMEM;
++         goto done;
++@@ -491,6 +497,7 @@
++     const char *ad_domain;
++     const char *ad_site_override;
++     const char *current_site;
+++    bool ad_use_ldaps;
++ };
++
++ struct ad_srv_plugin_ctx *
++@@ -501,7 +508,8 @@
++                        struct sdap_options *opts,
++                        const char *hostname,
++                        const char *ad_domain,
++-                       const char *ad_site_override)
+++                       const char *ad_site_override,
+++                       bool ad_use_ldaps)
++ {
++     struct ad_srv_plugin_ctx *ctx = NULL;
++     errno_t ret;
++@@ -515,6 +523,7 @@
++     ctx->be_res = be_res;
++     ctx->host_dbs = host_dbs;
++     ctx->opts = opts;
+++    ctx->ad_use_ldaps = ad_use_ldaps;
++
++     ctx->hostname = talloc_strdup(ctx, hostname);
++     if (ctx->hostname == NULL) {
++@@ -714,6 +723,7 @@
++                                      state->ctx->host_dbs,
++                                      state->ctx->opts,
++                                      state->discovery_domain,
+++                                     state->ctx->ad_use_ldaps,
++                                      dcs, num_dcs);
++     if (subreq == NULL) {
++         ret = ENOMEM;
++Index: sssd-2.2.3/src/providers/ad/ad_srv.h
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ad/ad_srv.h	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/providers/ad/ad_srv.h	2020-10-12 17:03:42.796491375 +1300
++@@ -31,7 +31,8 @@
++                        struct sdap_options *opts,
++                        const char *hostname,
++                        const char *ad_domain,
++-                       const char *ad_site_override);
+++                       const char *ad_site_override,
+++                       bool ad_use_ldaps);
++
++ struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,
++                                        struct tevent_context *ev,
++Index: sssd-2.2.3/src/providers/ad/ad_subdomains.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ad/ad_subdomains.c	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/providers/ad/ad_subdomains.c	2020-10-12 17:03:42.800491430 +1300
++@@ -282,6 +282,7 @@
++     bool use_kdcinfo = false;
++     size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT;
++     size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT;
+++    bool ad_use_ldaps = false;
++
++     realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
++     hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
++@@ -312,6 +313,21 @@
++         return ENOMEM;
++     }
++
+++    ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic,
+++                                    ad_options->basic,
+++                                    be_ctx->cdb, subdom_conf_path,
+++                                    AD_USE_LDAPS);
+++    if (ret != EOK) {
+++        DEBUG(SSSDBG_CRIT_FAILURE,
+++              "Failed to inherit option [%s] to sub-domain [%s]. "
+++              "This error is ignored but might cause issues or unexpected "
+++              "behavior later on.\n",
+++              id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name,
+++              subdom->name);
+++
+++        return ret;
+++    }
+++
++     ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
++                                     ad_options->id->basic,
++                                     be_ctx->cdb, subdom_conf_path,
++@@ -344,6 +360,7 @@
++
++     servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
++     backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
+++    ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
++
++     if (id_ctx->ad_options->auth_ctx != NULL
++             && id_ctx->ad_options->auth_ctx->opts != NULL) {
++@@ -362,7 +379,7 @@
++
++     ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers,
++                            subdom->realm, service_name, gc_service_name,
++-                           subdom->name, use_kdcinfo,
+++                           subdom->name, use_kdcinfo, ad_use_ldaps,
++                            n_lookahead_primary,
++                            n_lookahead_backup,
++                            &ad_options->service);
++@@ -386,7 +403,7 @@
++                                      ad_id_ctx->ad_options->id,
++                                      hostname,
++                                      ad_domain,
++-                                     ad_site_override);
+++                                     ad_site_override, ad_use_ldaps);
++     if (srv_ctx == NULL) {
++         DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
++         return ENOMEM;
++Index: sssd-2.2.3/src/providers/ipa/ipa_subdomains_server.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ipa/ipa_subdomains_server.c	2020-10-12 17:03:42.800491430 +1300
+++++ sssd-2.2.3/src/providers/ipa/ipa_subdomains_server.c	2020-10-12 17:03:42.800491430 +1300
++@@ -319,7 +319,7 @@
++     ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
++                            subdom->realm,
++                            service_name, gc_service_name,
++-                           subdom->name, use_kdcinfo,
+++                           subdom->name, use_kdcinfo, false,
++                            n_lookahead_primary, n_lookahead_backup,
++                            &ad_options->service);
++     if (ret != EOK) {
++@@ -344,7 +344,7 @@
++                                      ad_id_ctx->ad_options->id,
++                                      id_ctx->server_mode->hostname,
++                                      ad_domain,
++-                                     ad_site_override);
+++                                     ad_site_override, false);
++     if (srv_ctx == NULL) {
++         DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
++         return ENOMEM;
 diff --git a/debian/patches/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch b/debian/patches/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch
 new file mode 100644
 index 0000000..52e11a7
 --- /dev/null
 +++ b/debian/patches/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch
@@ -0,0 +1,174 @@
++Description: ldap: add new option ldap_sasl_maxssf
++Author: Sumit Bose <sbose@redhat.com>
++From: Matthew Ruffell <matthew.ruffell@canonical.com>
++Origin: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
++Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
++Bug-Ubuntu: https://launchpad.net/bugs/1868703
++
++Index: sssd-2.2.3/src/config/SSSDConfig/__init__.py.in
++===================================================================
++--- sssd-2.2.3.orig/src/config/SSSDConfig/__init__.py.in	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/config/SSSDConfig/__init__.py.in	2020-10-12 17:03:58.896712553 +1300
++@@ -305,6 +305,7 @@
++     'ldap_sasl_authid' : _('Specify the sasl authorization id to use'),
++     'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'),
++     'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'),
+++    'ldap_sasl_maxssf' : _('Specify the maximal SSF for LDAP sasl authorization'),
++     'ldap_krb5_keytab' : _('Kerberos service keytab'),
++     'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'),
++     'ldap_referrals' : _('Follow LDAP referrals'),
++Index: sssd-2.2.3/src/config/cfg_rules.ini
++===================================================================
++--- sssd-2.2.3.orig/src/config/cfg_rules.ini	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/config/cfg_rules.ini	2020-10-12 17:03:58.896712553 +1300
++@@ -663,6 +663,7 @@
++ option = ldap_sasl_canonicalize
++ option = ldap_sasl_mech
++ option = ldap_sasl_minssf
+++option = ldap_sasl_maxssf
++ option = ldap_schema
++ option = ldap_pwmodify_mode
++ option = ldap_search_base
++Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf
++===================================================================
++--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ad.conf	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf	2020-10-12 17:03:58.896712553 +1300
++@@ -41,6 +41,7 @@
++ ldap_sasl_mech = str, None, false
++ ldap_sasl_authid = str, None, false
++ ldap_sasl_minssf = int, None, false
+++ldap_sasl_maxssf = int, None, false
++ krb5_kdcip = str, None, false
++ krb5_server = str, None, false
++ krb5_backup_server = str, None, false
++Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ipa.conf
++===================================================================
++--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ipa.conf	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ipa.conf	2020-10-12 17:03:58.896712553 +1300
++@@ -32,6 +32,7 @@
++ ldap_sasl_mech = str, None, false
++ ldap_sasl_authid = str, None, false
++ ldap_sasl_minssf = int, None, false
+++ldap_sasl_maxssf = int, None, false
++ krb5_kdcip = str, None, false
++ krb5_server = str, None, false
++ krb5_backup_server = str, None, false
++Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ldap.conf
++===================================================================
++--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ldap.conf	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ldap.conf	2020-10-12 17:03:58.896712553 +1300
++@@ -35,6 +35,7 @@
++ ldap_deref_threshold = int, None, false
++ ldap_sasl_canonicalize = bool, None, false
++ ldap_sasl_minssf = int, None, false
+++ldap_sasl_maxssf = int, None, false
++ ldap_connection_expire_timeout = int, None, false
++ ldap_disable_paging = bool, None, false
++ ldap_disable_range_retrieval = bool, None, false
++Index: sssd-2.2.3/src/man/sssd-ldap.5.xml
++===================================================================
++--- sssd-2.2.3.orig/src/man/sssd-ldap.5.xml	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/man/sssd-ldap.5.xml	2020-10-12 17:03:58.896712553 +1300
++@@ -594,6 +594,22 @@
++                 </varlistentry>
++
++                 <varlistentry>
+++                    <term>ldap_sasl_maxssf (integer)</term>
+++                    <listitem>
+++                        <para>
+++                            When communicating with an LDAP server using SASL,
+++                            specify the maximal security level necessary to
+++                            establish the connection. The values of this
+++                            option are defined by OpenLDAP.
+++                        </para>
+++                        <para>
+++                            Default: Use the system default (usually specified
+++                            by ldap.conf)
+++                        </para>
+++                    </listitem>
+++                </varlistentry>
+++
+++                <varlistentry>
++                     <term>ldap_deref_threshold (integer)</term>
++                     <listitem>
++                         <para>
++Index: sssd-2.2.3/src/providers/ad/ad_opts.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ad/ad_opts.c	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/providers/ad/ad_opts.c	2020-10-12 17:03:58.896712553 +1300
++@@ -105,6 +105,7 @@
++     { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
++     { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
++     { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
+++    { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
++     { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
++     { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
++     /* use the same parm name as the krb5 module so we set it only once */
++Index: sssd-2.2.3/src/providers/ipa/ipa_opts.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ipa/ipa_opts.c	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/providers/ipa/ipa_opts.c	2020-10-12 17:03:58.896712553 +1300
++@@ -114,6 +114,7 @@
++     { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
++     { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
++     { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER },
+++    { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
++     { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
++     { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
++     /* use the same parm name as the krb5 module so we set it only once */
++Index: sssd-2.2.3/src/providers/ldap/ldap_opts.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ldap/ldap_opts.c	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/providers/ldap/ldap_opts.c	2020-10-12 17:03:58.900712608 +1300
++@@ -74,6 +74,7 @@
++     { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
++     { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
++     { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
+++    { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
++     { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
++     { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
++     /* use the same parm name as the krb5 module so we set it only once */
++Index: sssd-2.2.3/src/providers/ldap/sdap.h
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ldap/sdap.h	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/providers/ldap/sdap.h	2020-10-12 17:03:58.900712608 +1300
++@@ -192,6 +192,7 @@
++     SDAP_SASL_AUTHID,
++     SDAP_SASL_REALM,
++     SDAP_SASL_MINSSF,
+++    SDAP_SASL_MAXSSF,
++     SDAP_KRB5_KEYTAB,
++     SDAP_KRB5_KINIT,
++     SDAP_KRB5_KDC,
++Index: sssd-2.2.3/src/providers/ldap/sdap_async_connection.c
++===================================================================
++--- sssd-2.2.3.orig/src/providers/ldap/sdap_async_connection.c	2020-10-12 17:03:58.900712608 +1300
+++++ sssd-2.2.3/src/providers/ldap/sdap_async_connection.c	2020-10-12 17:03:58.900712608 +1300
++@@ -148,6 +148,8 @@
++     const char *sasl_mech;
++     int sasl_minssf;
++     ber_len_t ber_sasl_minssf;
+++    int sasl_maxssf;
+++    ber_len_t ber_sasl_maxssf;
++
++     ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd);
++     talloc_zfree(subreq);
++@@ -291,6 +293,18 @@
++                 goto fail;
++             }
++         }
+++
+++        sasl_maxssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MAXSSF);
+++        if (sasl_maxssf >= 0) {
+++            ber_sasl_maxssf = (ber_len_t)sasl_maxssf;
+++            lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MAX,
+++                                   &ber_sasl_maxssf);
+++            if (lret != LDAP_OPT_SUCCESS) {
+++                DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MAX SSF option "
+++                                            "to %d\n", sasl_maxssf);
+++                goto fail;
+++            }
+++        }
++     }
++
++     /* if we do not use start_tls the connection is not really connected yet
 diff --git a/debian/patches/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch b/debian/patches/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch
 new file mode 100644
 index 0000000..d750386
 --- /dev/null
 +++ b/debian/patches/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch
@@ -0,0 +1,68 @@
++Description: ad: set min and max ssf for ldaps
++Author: Sumit Bose <sbose@redhat.com>
++From: Matthew Ruffell <matthew.ruffell@canonical.com>
++Origin: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102
++Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
++Bug-Ubuntu: https://launchpad.net/bugs/1868703
++
++--- a/src/providers/ad/ad_common.c
+++++ b/src/providers/ad/ad_common.c
++@@ -1021,6 +1021,23 @@
++     return;
++ }
++
+++void ad_set_ssf_for_ldaps(struct sdap_options *id_opts)
+++{
+++    int ret;
+++
+++    DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n");
+++    ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0);
+++    if (ret != EOK) {
+++        DEBUG(SSSDBG_CRIT_FAILURE,
+++              "Failed to set SASL minssf for ldaps usage, ignored.\n");
+++    }
+++    ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0);
+++    if (ret != EOK) {
+++        DEBUG(SSSDBG_CRIT_FAILURE,
+++              "Failed to set SASL maxssf for ldaps usage, ignored.\n");
+++    }
+++}
+++
++ static errno_t
++ ad_set_sdap_options(struct ad_options *ad_opts,
++                     struct sdap_options *id_opts)
++@@ -1079,6 +1096,10 @@
++         goto done;
++     }
++
+++    if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) {
+++        ad_set_ssf_for_ldaps(id_opts);
+++    }
+++
++     /* Warn if the user is doing something silly like overriding the schema
++      * with the AD provider
++      */
++--- a/src/providers/ad/ad_common.h
+++++ b/src/providers/ad/ad_common.h
++@@ -181,6 +181,8 @@
++ ad_get_dyndns_options(struct be_ctx *be_ctx,
++                       struct ad_options *ad_opts);
++
+++void ad_set_ssf_for_ldaps(struct sdap_options *id_opts);
+++
++ struct ad_id_ctx *
++ ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx);
++
++--- a/src/providers/ad/ad_subdomains.c
+++++ b/src/providers/ad/ad_subdomains.c
++@@ -328,6 +328,10 @@
++         return ret;
++     }
++
+++    if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) {
+++        ad_set_ssf_for_ldaps(ad_options->id);
+++    }
+++
++     ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
++                                     ad_options->id->basic,
++                                     be_ctx->cdb, subdom_conf_path,
 diff --git a/debian/patches/series b/debian/patches/series
 index 9ec26db..4b402cf 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -2,3 +2,7 @@ fix-python3.8-ftbfs.diff
  fix-whitespace-test.diff
  default-to-socket-activated-services.diff
  fix-946847.diff
++lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
++lp-1868703-02-ad-add-ad_use_ldaps.patch
++lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch
++lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch
 diff --git a/debian/rules b/debian/rules
 old mode 100755
 new mode 100644
 index b5d46e2..02a0b29
 --- a/debian/rules
 +++ b/debian/rules
@@ -34,6 +34,7 @@ override_dh_auto_configure:
  	--disable-static \
  	--disable-rpath \
  	--with-autofs \
++	--with-crypto=libcrypto \
  	--with-ssh \
  	--with-initscript=systemd \
  	--with-systemdunitdir=/lib/systemd/system \
@@ -42,6 +43,14 @@ override_dh_auto_configure:
  	--without-python2-bindings \
  	--with-sudo
++override_dh_auto_build:
++	dh_auto_build
++
++	mkdir -p $(CURDIR)/debian/build
++	$(CC) $(CURDIR)/debian/nss-database-pem-exporter/nss-database-pem-exporter.c \
++		$(shell pkg-config --cflags --libs nss) -o \
++		$(CURDIR)/debian/build/nss-database-pem-exporter
++
  override_dh_auto_test:
  	export CK_TIMEOUT_MULTIPLIER=10
  	dh_auto_test -- VERBOSE=yes
@@ -50,6 +59,9 @@ override_dh_auto_test:
  override_dh_auto_install:
  	dh_auto_install --max-parallel=1
++	install -m755 -D $(CURDIR)/debian/build/nss-database-pem-exporter \
++		-t $(CURDIR)/debian/tmp/usr/libexec/sssd/
++
  override_dh_fixperms:
  	dh_fixperms -Xkrb5_child -Xldap_child -Xselinux_child
@@ -102,3 +114,4 @@ override_dh_auto_clean:
  	rm -f $(CURDIR)/src/config/*.pyc
  	rm -f $(CURDIR)/po/stamp-po
  	rm -f $(CURDIR)/src/sbus/codegen/__pycache__/*.pyc
++	rm -rf $(CURDIR)/debian/build
 diff --git a/debian/sssd-common.install b/debian/sssd-common.install
 index e0f8ad4..fafdab6 100644
 --- a/debian/sssd-common.install
 +++ b/debian/sssd-common.install
@@ -40,6 +40,7 @@ usr/lib/*/sssd/libsss_util.so
  usr/lib/*/sssd/modules/libsss_autofs.so
  usr/lib/*/sssd/modules/sssd_krb5_localauth_plugin.so
  usr/libexec/sssd/p11_child
++usr/libexec/sssd/nss-database-pem-exporter
  usr/libexec/sssd/sss_signal
  usr/libexec/sssd/sssd_autofs
  usr/libexec/sssd/sssd_be
 diff --git a/debian/sssd-common.postinst b/debian/sssd-common.postinst
 index 295d6a2..6074752 100644
 --- a/debian/sssd-common.postinst
 +++ b/debian/sssd-common.postinst
@@ -20,6 +20,46 @@ set -e
  OUT=/dev/null
  HOME=/var/lib/sss
  LIBDIR=/usr/libexec/sssd
++CA_CERTS_NSSDB=/etc/pki/nssdb
++CA_CERTS_CHAIN=/etc/sssd/pki/sssd_auth_ca_db.pem
++
++get_config_value()
++{
++    if [ ! -f /etc/sssd/sssd.conf ]; then
++        return 0
++    fi
++
++    awk -F '=' '{if (! ($0 ~ /^;/) && ! ($0 ~ /^#/) && $0 ~ /'"$1"'/) print $2}' \
++        /etc/sssd/sssd.conf | tr -d ' ' | tail -n1
++}
++
++is_pem_file()
++{
++    [ -f "$1" ] && \
++        grep -qsI -- "-----BEGIN CERTIFICATE-----" "$1" && \
++        grep -qsI -- "-----END CERTIFICATE-----" "$1"
++}
++
++import_nss_ca_certs()
++{
++    nssdb="$1"
++
++    if is_pem_file "$nssdb"; then
++        return 1
++    fi
++
++    if [ -n "$nssdb" ]; then
++        echo "Importing $nssdb CA certificates to $CA_CERTS_CHAIN"
++        env NSS_DATABASE="$nssdb" \
++            $LIBDIR/nss-database-pem-exporter >> "$CA_CERTS_CHAIN"
++    fi
++}
++
++disable_setting()
++{
++    echo "Disabling sssd.conf setting using invalid value: '$1'"
++    sed -i 's/^[^#;]*'"$1"'\b/#&/' /etc/sssd/sssd.conf || true
++}
  case "$1" in
      configure)
@@ -41,6 +81,7 @@ case "$1" in
              /etc/sssd \
              /var/log/sssd
          chown root:sssd $LIBDIR/p11_child
++        chown root:sssd $LIBDIR/nss-database-pem-exporter
          chmod 4754 $LIBDIR/p11_child
          chmod 755 $HOME/gpo_cache $HOME/mc $HOME/pipes $HOME/pubconf
@@ -52,6 +93,29 @@ case "$1" in
              chown root:root /etc/sssd/sssd.conf
              chmod 0600 /etc/sssd/sssd.conf
          fi
++
++        if dpkg --compare-versions "$2" lt-nl 2.2.3-3ubuntu0.2; then
++            # When upgrading (only), we may need to migrate the NSS
++            # database entries
++            ca_db=$(get_config_value ca_db)
++            pam_cert_db_path=$(get_config_value pam_cert_db_path)
++
++            mkdir -p -m711 "$(dirname "$CA_CERTS_CHAIN")"
++
++            nss_db="$ca_db"
++            [ -z "$nss_db" ] && [ -d "$CA_CERTS_NSSDB" ] && nss_db="$CA_CERTS_NSSDB"
++
++            if import_nss_ca_certs "$nss_db"; then
++                [ "$nss_db" = "$ca_db" ] && \
++                    disable_setting 'ca_db'
++            fi
++
++            if [ "$pam_cert_db_path" != "$nss_db" ]; then
++                if import_nss_ca_certs "$pam_cert_db_path"; then
++                    disable_setting 'pam_cert_db_path'
++                fi
++            fi
++        fi
      ;;
      abort-upgrade|abort-remove|abort-deconfigure)

Ubuntusssd package