Merge ~3v1n0/ubuntu/+source/sssd:ubuntu/focal into ubuntu/+source/sssd:ubuntu/focal
- Git
- lp:~3v1n0/ubuntu/+source/sssd
- ubuntu/focal
- Merge into ubuntu/focal
Status: | Superseded |
---|---|
Proposed branch: | ~3v1n0/ubuntu/+source/sssd:ubuntu/focal |
Merge into: | ubuntu/+source/sssd:ubuntu/focal |
Diff against target: |
1160 lines (+1013/-2) 12 files modified
debian/changelog (+40/-0) debian/control (+5/-2) debian/nss-database-pem-exporter/README.md (+13/-0) debian/nss-database-pem-exporter/nss-database-pem-exporter.c (+179/-0) debian/patches/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch (+40/-0) debian/patches/lp-1868703-02-ad-add-ad_use_ldaps.patch (+412/-0) debian/patches/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch (+174/-0) debian/patches/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch (+68/-0) debian/patches/series (+4/-0) debian/rules (+13/-0) debian/sssd-common.install (+1/-0) debian/sssd-common.postinst (+64/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Sergio Durigan Junior | Pending | ||
Dimitri John Ledkov | Pending | ||
Review via email: mp+395410@code.launchpad.net |
This proposal has been superseded by a proposal from 2020-12-16.
Commit message
Description of the change
* debian/
(LP: #1905790)
* debian/
When upgrading from previous versions (that were compiled using the NSS
crypto backend) we need to migrate the trusted CA certificates that the
user may have added to the SSSD's NSS system database (that defaults to
/etc/pki/nssdb).
To do this, and not to introduce a new dependency on libnss3-tools
(which is not shipped by default, other than making the parsing not
working in some scenarios) I've added a small C tool that we compile and
install as part of the sssd-common package which is able to get all the
trusted CA certificates for a NSS database and export them in PEM
format.
The nss-database-
we now:
1. Read the SSSD settings
2. Convert all the certificates in the configured NSS databases
3. Store them all, appending them to the (new) default location
(
4. Disables the configured locations if pointing to NSS dbs (needed or
we'll leave the configuration with broken values).
At this point nss-database-
package that still depends on NSS libraries. (LP: #1905790)
Unmerged commits
- 12b101c... by Marco Trevisan (Treviño)
-
Update changelog
- 1efa142... by Marco Trevisan (Treviño)
-
debian/control: Update Maintainer to Ubuntu devs
- 5abb018... by Marco Trevisan (Treviño)
-
debian: Add nss-database-
pem-exporter tool to the package and run it on postinst When upgrading from previous versions (that were compiled using the NSS
crypto backend) we need to migrate the trusted CA certificates that the
user may have added to the SSSD's NSS system database (that defaults to
/etc/pki/nssdb).To do this, and not to introduce a new dependency on libnss3-tools
(which is not shipped by default, other than making the parsing not
working in some scenarios) I've added a small C tool that we compile and
install as part of the sssd-common package which is able to get all the
trusted CA certificates for a NSS database and export them in PEM
format.The nss-database-
pem-exporter is then used in the postinst script where
we now:
1. Read the SSSD settings
2. Convert all the certificates in the configured NSS databases
3. Store them all, appending them to the (new) default location
(/etc/sssd/pki/ sssd_auth_ ca_db.pem)
4. Disables the configured locations if pointing to NSS dbs (needed or
we'll leave the configuration with broken values).At this point nss-database-
pem-exporter is then the only binary in the
package that still depends on NSS libraries.LP: #1905790
- 42776ad... by Marco Trevisan (Treviño)
-
debian/
{control, rules}: Compile using libcrypto as crypto backend LP: #1905790
- 1e71d90... by Matthew Ruffell
-
2.2.3-3ubuntu0.1 (patches unapplied)
Imported using git-ubuntu import.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 2202352..d9d580d 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,43 @@ |
6 | +sssd (2.2.3-3ubuntu0.2) UNRELEASED; urgency=medium |
7 | + |
8 | + * debian/{control,rules}: Compile using libcrypto as crypto backend |
9 | + (LP: #1905790) |
10 | + * debian/nss-database-pem-exporter: Add to sssd-common and run on postinst. |
11 | + When upgrading from previous versions (that were compiled using the NSS |
12 | + crypto backend) we need to migrate the trusted CA certificates that the |
13 | + user may have added to the SSSD's NSS system database (that defaults to |
14 | + /etc/pki/nssdb). |
15 | + To do this, and not to introduce a new dependency on libnss3-tools |
16 | + (which is not shipped by default, other than making the parsing not |
17 | + working in some scenarios) I've added a small C tool that we compile and |
18 | + install as part of the sssd-common package which is able to get all the |
19 | + trusted CA certificates for a NSS database and export them in PEM |
20 | + format. |
21 | + The nss-database-pem-exporter is then used in the postinst script where |
22 | + we now: |
23 | + 1. Read the SSSD settings |
24 | + 2. Convert all the certificates in the configured NSS databases |
25 | + 3. Store them all, appending them to the (new) default location |
26 | + (/etc/sssd/pki/sssd_auth_ca_db.pem) |
27 | + 4. Disables the configured locations if pointing to NSS dbs (needed or |
28 | + we'll leave the configuration with broken values). |
29 | + At this point nss-database-pem-exporter is then the only binary in the |
30 | + package that still depends on NSS libraries. (LP: #1905790) |
31 | + * debian/control: Update Maintainer to Ubuntu devs |
32 | + |
33 | + -- Marco Trevisan (Treviño) <marco@ubuntu.com> Wed, 16 Dec 2020 04:56:07 +0100 |
34 | + |
35 | +sssd (2.2.3-3ubuntu0.1) focal; urgency=medium |
36 | + |
37 | + * Enable support for "ad_use_ldaps" for new Active Directory |
38 | + requirement ADV190023 (LP: #1868703): |
39 | + - d/p/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch |
40 | + - d/p/lp-1868703-02-ad-add-ad_use_ldaps.patch |
41 | + - d/p/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch |
42 | + - d/p/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch |
43 | + |
44 | + -- Matthew Ruffell <matthew.ruffell@canonical.com> Tue, 10 Nov 2020 11:59:08 +1300 |
45 | + |
46 | sssd (2.2.3-3) unstable; urgency=medium |
47 | |
48 | * libnss-sss: Fix a typo in adding the NSS entry for automount. |
49 | diff --git a/debian/control b/debian/control |
50 | index 648a240..d4652d2 100644 |
51 | --- a/debian/control |
52 | +++ b/debian/control |
53 | @@ -1,7 +1,8 @@ |
54 | Source: sssd |
55 | Section: utils |
56 | Priority: optional |
57 | -Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net> |
58 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
59 | +XSBC-Original-Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net> |
60 | Uploaders: Timo Aaltonen <tjaalton@debian.org>, |
61 | Dominik George <natureshadow@debian.org> |
62 | Build-Depends: |
63 | @@ -36,8 +37,8 @@ Build-Depends: |
64 | libnl-3-dev [linux-any], |
65 | libnl-route-3-dev [linux-any], |
66 | libnspr4-dev, |
67 | - libnss-wrapper, |
68 | libnss3-dev, |
69 | + libp11-kit-dev, |
70 | libpam0g-dev | libpam-dev, |
71 | libpcre3-dev, |
72 | libpopt-dev, |
73 | @@ -45,6 +46,8 @@ Build-Depends: |
74 | libselinux1-dev [linux-any], |
75 | libsemanage1-dev [linux-any], |
76 | libsmbclient-dev, |
77 | + libsofthsm2 <!nocheck>, |
78 | + libssl-dev, |
79 | libsystemd-dev [linux-any], |
80 | libtalloc-dev, |
81 | libtdb-dev, |
82 | diff --git a/debian/nss-database-pem-exporter/README.md b/debian/nss-database-pem-exporter/README.md |
83 | new file mode 100644 |
84 | index 0000000..919d5cd |
85 | --- /dev/null |
86 | +++ b/debian/nss-database-pem-exporter/README.md |
87 | @@ -0,0 +1,13 @@ |
88 | +# NSS Database Certificates exporter |
89 | + |
90 | +A simple tool to export all the trusted CA certificates in a NSS database |
91 | +(aka nssdb, usually in `~/.pki/nssdb` or `/etc/pki/nssdb`) as a chained cert |
92 | +PEM cert file. |
93 | + |
94 | + ./nss-database-pem-exporter > chained-certs.pem |
95 | + |
96 | +You can verify the parsed content using: |
97 | + |
98 | + openssl crl2pkcs7 -nocrl -certfile chained-certs.pem | openssl pkcs7 -print_certs -text -noout |
99 | + |
100 | +It defaults to `/etc/pki/nssdb`, use `NSS_DATABASE` env variable to override it. |
101 | diff --git a/debian/nss-database-pem-exporter/nss-database-pem-exporter.c b/debian/nss-database-pem-exporter/nss-database-pem-exporter.c |
102 | new file mode 100644 |
103 | index 0000000..e3afebc |
104 | --- /dev/null |
105 | +++ b/debian/nss-database-pem-exporter/nss-database-pem-exporter.c |
106 | @@ -0,0 +1,179 @@ |
107 | +/* |
108 | + * This file is part of the nss-database-pem-exporter distribution. |
109 | + * Copyright (c) 2020 Marco Trevisan <marco.trevisan@canonical.com>. |
110 | + * |
111 | + * This program is free software: you can redistribute it and/or modify |
112 | + * it under the terms of the GNU General Public License as published by |
113 | + * the Free Software Foundation, version 3. |
114 | + * |
115 | + * This program is distributed in the hope that it will be useful, but |
116 | + * WITHOUT ANY WARRANTY; without even the implied warranty of |
117 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
118 | + * General Public License for more details. |
119 | + * |
120 | + * You should have received a copy of the GNU General Public License |
121 | + * along with this program. If not, see <http://www.gnu.org/licenses/>. |
122 | + */ |
123 | + |
124 | +#include <assert.h> |
125 | +#include <stdbool.h> |
126 | +#include <stdio.h> |
127 | +#include <stdlib.h> |
128 | +#include <string.h> |
129 | + |
130 | +#include <nss.h> |
131 | +#include <nss/base64.h> |
132 | +#include <nss/cert.h> |
133 | +#include <nss/certdb.h> |
134 | +#include <nss/pk11func.h> |
135 | + |
136 | +#define NSS_DATABASE_PATH "/etc/pki/nssdb" |
137 | +#define OPEN_FLAGS (NSS_INIT_READONLY | NSS_INIT_NOROOTINIT | NSS_INIT_FORCEOPEN) |
138 | + |
139 | +#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----" |
140 | +#define NS_CERT_TRAILER "-----END CERTIFICATE-----" |
141 | + |
142 | +static SECStatus |
143 | +print_ascii_certificate (CERTCertDBHandle *handle, |
144 | + const CERTCertificate *cert) |
145 | +{ |
146 | + CERTCertList *certs; |
147 | + CERTCertListNode *node; |
148 | + |
149 | + certs = CERT_CreateSubjectCertList (NULL, handle, &cert->derSubject, |
150 | + PR_Now (), PR_FALSE); |
151 | + |
152 | + for (node = CERT_LIST_HEAD (certs); !CERT_LIST_END (node, certs); |
153 | + node = CERT_LIST_NEXT (node)) |
154 | + { |
155 | + CERTCertificate *c = node->cert; |
156 | + char *ascii_cert = BTOA_DataToAscii (c->derCert.data, c->derCert.len); |
157 | + |
158 | + fprintf (stdout, NS_CERT_HEADER "\n"); |
159 | + fprintf (stdout, "%s\n", ascii_cert); |
160 | + fprintf (stdout, NS_CERT_TRAILER "\n"); |
161 | + |
162 | + free (ascii_cert); |
163 | + } |
164 | + |
165 | + if (certs) |
166 | + CERT_DestroyCertList (certs); |
167 | + |
168 | + return SECSuccess; |
169 | +} |
170 | + |
171 | +const char * |
172 | +get_cert_name (CERTCertListNode *node) |
173 | +{ |
174 | + CERTCertificate * cert = node->cert; |
175 | + const char *name = node->appData; |
176 | + |
177 | + if (name && *name != '\0') |
178 | + return name; |
179 | + |
180 | + name = cert->nickname; |
181 | + if (name && *name != '\0') |
182 | + return name; |
183 | + |
184 | + name = cert->emailAddr; |
185 | + if (name && *name != '\0') |
186 | + return name; |
187 | + |
188 | + return NULL; |
189 | +} |
190 | + |
191 | +bool |
192 | +check_trusted_flags (unsigned int flags) |
193 | +{ |
194 | + if (!(flags & CERTDB_VALID_CA)) |
195 | + return false; |
196 | + |
197 | + /* Just return true here in any case (to handle the 'c' flag)? */ |
198 | + return (flags & (CERTDB_TRUSTED | |
199 | + CERTDB_TRUSTED_CA | |
200 | + CERTDB_TRUSTED_CLIENT_CA | |
201 | + CERTDB_GOVT_APPROVED_CA)) != 0; |
202 | +} |
203 | + |
204 | +bool |
205 | +cert_is_trusted (const CERTCertificate *cert) |
206 | +{ |
207 | + CERTCertTrust *trust = cert->trust; |
208 | + |
209 | + if (!trust) |
210 | + return false; |
211 | + |
212 | + if (check_trusted_flags (trust->sslFlags)) |
213 | + return true; |
214 | + |
215 | + if (check_trusted_flags (trust->emailFlags)) |
216 | + return true; |
217 | + |
218 | + if (check_trusted_flags (trust->objectSigningFlags)) |
219 | + return true; |
220 | + |
221 | + return false; |
222 | +} |
223 | + |
224 | +static SECStatus |
225 | +print_trusted_certificates (CERTCertDBHandle *handle) |
226 | +{ |
227 | + CERTCertList *list; |
228 | + CERTCertListNode *node; |
229 | + |
230 | + list = PK11_ListCerts (PK11CertListCA, NULL); |
231 | + for (node = CERT_LIST_HEAD (list); !CERT_LIST_END (node, list); |
232 | + node = CERT_LIST_NEXT (node)) |
233 | + { |
234 | + CERTCertificate *cert = node->cert; |
235 | + const char *cert_name = get_cert_name (node); |
236 | + |
237 | + if (!(cert->nsCertType & NS_CERT_TYPE_CA)) |
238 | + continue; |
239 | + |
240 | + fprintf (stderr, "Found CA certificate %s\n", cert_name); |
241 | + if (!cert) |
242 | + continue; |
243 | + |
244 | + if (!cert_is_trusted (cert)) |
245 | + { |
246 | + fprintf (stderr, "Certificate %s is not a trusted CA certificate, ignoring\n", |
247 | + cert_name); |
248 | + continue; |
249 | + } |
250 | + |
251 | + print_ascii_certificate (handle, cert); |
252 | + } |
253 | + |
254 | + if (list) |
255 | + CERT_DestroyCertList (list); |
256 | + return SECSuccess; |
257 | +} |
258 | + |
259 | +int |
260 | +main (void) |
261 | +{ |
262 | + CERTCertDBHandle *certHandle; |
263 | + const char *nssdb; |
264 | + int exit_status = EXIT_SUCCESS; |
265 | + |
266 | + nssdb = getenv ("NSS_DATABASE"); |
267 | + if (!nssdb || !*nssdb) |
268 | + nssdb = NSS_DATABASE_PATH; |
269 | + |
270 | + if (NSS_Initialize (nssdb, NULL, NULL, |
271 | + "secmod.db", OPEN_FLAGS) != SECSuccess) |
272 | + { |
273 | + fprintf (stderr, "Failed to open database %s\n", nssdb); |
274 | + return EXIT_FAILURE; |
275 | + } |
276 | + |
277 | + certHandle = CERT_GetDefaultCertDB (); |
278 | + if (print_trusted_certificates (certHandle) != SECSuccess) |
279 | + exit_status = EXIT_FAILURE; |
280 | + |
281 | + if (NSS_Shutdown () != SECSuccess) |
282 | + return EXIT_FAILURE; |
283 | + |
284 | + return exit_status; |
285 | +} |
286 | diff --git a/debian/patches/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch b/debian/patches/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch |
287 | new file mode 100644 |
288 | index 0000000..0d62fc5 |
289 | --- /dev/null |
290 | +++ b/debian/patches/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch |
291 | @@ -0,0 +1,40 @@ |
292 | +Description: ad: allow booleans for ad_inherit_opts_if_needed() |
293 | +Author: Sumit Bose <sbose@redhat.com> |
294 | +From: Matthew Ruffell <matthew.ruffell@canonical.com> |
295 | +Origin: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83 |
296 | +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 |
297 | +Bug-Ubuntu: https://launchpad.net/bugs/1868703 |
298 | + |
299 | +Index: sssd-2.2.3/src/providers/ad/ad_common.c |
300 | +=================================================================== |
301 | +--- sssd-2.2.3.orig/src/providers/ad/ad_common.c 2020-10-12 17:03:20.688186858 +1300 |
302 | ++++ sssd-2.2.3/src/providers/ad/ad_common.c 2020-10-12 17:03:20.684186803 +1300 |
303 | +@@ -1479,9 +1479,26 @@ |
304 | + const char *parent_val = NULL; |
305 | + char *dummy = NULL; |
306 | + char *option_list[2] = { NULL, NULL }; |
307 | ++ bool is_default = true; |
308 | + |
309 | +- parent_val = dp_opt_get_cstring(parent_opts, opt_id); |
310 | +- if (parent_val != NULL) { |
311 | ++ switch (parent_opts[opt_id].type) { |
312 | ++ case DP_OPT_STRING: |
313 | ++ parent_val = dp_opt_get_cstring(parent_opts, opt_id); |
314 | ++ break; |
315 | ++ case DP_OPT_BOOL: |
316 | ++ /* For booleans it is hard to say if the option is set or not since |
317 | ++ * both possible values are valid ones. So we check if the value is |
318 | ++ * different from the default and skip if it is the default. In this |
319 | ++ * case the sub-domain option would either be the default as well or |
320 | ++ * manully set and in both cases we do not have to change it. */ |
321 | ++ is_default = (parent_opts[opt_id].val.boolean |
322 | ++ == parent_opts[opt_id].def_val.boolean); |
323 | ++ break; |
324 | ++ default: |
325 | ++ DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n"); |
326 | ++ } |
327 | ++ |
328 | ++ if (parent_val != NULL || !is_default) { |
329 | + ret = confdb_get_string(cdb, NULL, subdom_conf_path, |
330 | + parent_opts[opt_id].opt_name, NULL, &dummy); |
331 | + if (ret != EOK) { |
332 | diff --git a/debian/patches/lp-1868703-02-ad-add-ad_use_ldaps.patch b/debian/patches/lp-1868703-02-ad-add-ad_use_ldaps.patch |
333 | new file mode 100644 |
334 | index 0000000..d5d2831 |
335 | --- /dev/null |
336 | +++ b/debian/patches/lp-1868703-02-ad-add-ad_use_ldaps.patch |
337 | @@ -0,0 +1,412 @@ |
338 | +Description: ad: add ad_use_ldaps |
339 | +Author: Sumit Bose <sbose@redhat.com> |
340 | +From: Matthew Ruffell <matthew.ruffell@canonical.com> |
341 | +Origin: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7 |
342 | +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 |
343 | +Bug-Ubuntu: https://launchpad.net/bugs/1868703 |
344 | + |
345 | +Index: sssd-2.2.3/src/config/SSSDConfig/__init__.py.in |
346 | +=================================================================== |
347 | +--- sssd-2.2.3.orig/src/config/SSSDConfig/__init__.py.in 2020-10-12 17:03:42.800491430 +1300 |
348 | ++++ sssd-2.2.3/src/config/SSSDConfig/__init__.py.in 2020-10-12 17:03:42.796491375 +1300 |
349 | +@@ -252,6 +252,7 @@ |
350 | + 'ad_site' : _('a particular site to be used by the client'), |
351 | + 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), |
352 | + 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), |
353 | ++ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'), |
354 | + |
355 | + # [provider/krb5] |
356 | + 'krb5_kdcip' : _('Kerberos server address'), |
357 | +Index: sssd-2.2.3/src/config/cfg_rules.ini |
358 | +=================================================================== |
359 | +--- sssd-2.2.3.orig/src/config/cfg_rules.ini 2020-10-12 17:03:42.800491430 +1300 |
360 | ++++ sssd-2.2.3/src/config/cfg_rules.ini 2020-10-12 17:03:42.796491375 +1300 |
361 | +@@ -464,6 +464,7 @@ |
362 | + option = ad_maximum_machine_account_password_age |
363 | + option = ad_server |
364 | + option = ad_site |
365 | ++option = ad_use_ldaps |
366 | + |
367 | + # IPA provider specific options |
368 | + option = ipa_anchor_uuid |
369 | +Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf |
370 | +=================================================================== |
371 | +--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-12 17:03:42.800491430 +1300 |
372 | ++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-12 17:03:42.796491375 +1300 |
373 | +@@ -20,6 +20,7 @@ |
374 | + ad_site = str, None, false |
375 | + ad_maximum_machine_account_password_age = int, None, false |
376 | + ad_machine_account_password_renewal_opts = str, None, false |
377 | ++ad_use_ldaps = bool, None, false |
378 | + ldap_uri = str, None, false |
379 | + ldap_backup_uri = str, None, false |
380 | + ldap_search_base = str, None, false |
381 | +Index: sssd-2.2.3/src/man/sssd-ad.5.xml |
382 | +=================================================================== |
383 | +--- sssd-2.2.3.orig/src/man/sssd-ad.5.xml 2020-10-12 17:03:42.800491430 +1300 |
384 | ++++ sssd-2.2.3/src/man/sssd-ad.5.xml 2020-10-12 17:03:42.796491375 +1300 |
385 | +@@ -1016,6 +1016,26 @@ |
386 | + </varlistentry> |
387 | + |
388 | + <varlistentry> |
389 | ++ <term>ad_use_ldaps (bool)</term> |
390 | ++ <listitem> |
391 | ++ <para> |
392 | ++ By default SSSD uses the plain LDAP port 389 and the |
393 | ++ Global Catalog port 3628. If this option is set to |
394 | ++ True SSSD will use the LDAPS port 636 and Global |
395 | ++ Catalog port 3629 with LDAPS protection. Since AD |
396 | ++ does not allow to have multiple encryption layers on |
397 | ++ a single connection and we still want to use |
398 | ++ SASL/GSSAPI or SASL/GSS-SPNEGO for authentication |
399 | ++ the SASL security property maxssf is set to 0 (zero) |
400 | ++ for those connections. |
401 | ++ </para> |
402 | ++ <para> |
403 | ++ Default: False |
404 | ++ </para> |
405 | ++ </listitem> |
406 | ++ </varlistentry> |
407 | ++ |
408 | ++ <varlistentry> |
409 | + <term>dyndns_update (boolean)</term> |
410 | + <listitem> |
411 | + <para> |
412 | +Index: sssd-2.2.3/src/providers/ad/ad_common.c |
413 | +=================================================================== |
414 | +--- sssd-2.2.3.orig/src/providers/ad/ad_common.c 2020-10-12 17:03:42.800491430 +1300 |
415 | ++++ sssd-2.2.3/src/providers/ad/ad_common.c 2020-10-12 17:03:42.796491375 +1300 |
416 | +@@ -729,6 +729,7 @@ |
417 | + const char *ad_gc_service, |
418 | + const char *ad_domain, |
419 | + bool use_kdcinfo, |
420 | ++ bool ad_use_ldaps, |
421 | + size_t n_lookahead_primary, |
422 | + size_t n_lookahead_backup, |
423 | + struct ad_service **_service) |
424 | +@@ -746,6 +747,16 @@ |
425 | + goto done; |
426 | + } |
427 | + |
428 | ++ if (ad_use_ldaps) { |
429 | ++ service->ldap_scheme = "ldaps"; |
430 | ++ service->port = LDAPS_PORT; |
431 | ++ service->gc_port = AD_GC_LDAPS_PORT; |
432 | ++ } else { |
433 | ++ service->ldap_scheme = "ldap"; |
434 | ++ service->port = LDAP_PORT; |
435 | ++ service->gc_port = AD_GC_PORT; |
436 | ++ } |
437 | ++ |
438 | + service->sdap = talloc_zero(service, struct sdap_service); |
439 | + service->gc = talloc_zero(service, struct sdap_service); |
440 | + if (!service->sdap || !service->gc) { |
441 | +@@ -927,7 +938,8 @@ |
442 | + goto done; |
443 | + } |
444 | + |
445 | +- new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name); |
446 | ++ new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme, |
447 | ++ srv_name); |
448 | + if (!new_uri) { |
449 | + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n"); |
450 | + ret = ENOMEM; |
451 | +@@ -935,7 +947,7 @@ |
452 | + } |
453 | + DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri); |
454 | + |
455 | +- sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT); |
456 | ++ sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port); |
457 | + if (sockaddr == NULL) { |
458 | + DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n"); |
459 | + ret = EIO; |
460 | +@@ -951,8 +963,12 @@ |
461 | + talloc_zfree(service->gc->uri); |
462 | + talloc_zfree(service->gc->sockaddr); |
463 | + if (sdata && sdata->gc) { |
464 | +- new_port = fo_get_server_port(server); |
465 | +- new_port = (new_port == 0) ? AD_GC_PORT : new_port; |
466 | ++ if (service->gc_port == AD_GC_LDAPS_PORT) { |
467 | ++ new_port = service->gc_port; |
468 | ++ } else { |
469 | ++ new_port = fo_get_server_port(server); |
470 | ++ new_port = (new_port == 0) ? service->gc_port : new_port; |
471 | ++ } |
472 | + |
473 | + service->gc->uri = talloc_asprintf(service->gc, "%s:%d", |
474 | + new_uri, new_port); |
475 | +Index: sssd-2.2.3/src/providers/ad/ad_common.h |
476 | +=================================================================== |
477 | +--- sssd-2.2.3.orig/src/providers/ad/ad_common.h 2020-10-12 17:03:42.800491430 +1300 |
478 | ++++ sssd-2.2.3/src/providers/ad/ad_common.h 2020-10-12 17:03:42.796491375 +1300 |
479 | +@@ -29,7 +29,8 @@ |
480 | + #define AD_SERVICE_NAME "AD" |
481 | + #define AD_GC_SERVICE_NAME "AD_GC" |
482 | + /* The port the Global Catalog runs on */ |
483 | +-#define AD_GC_PORT 3268 |
484 | ++#define AD_GC_PORT 3268 |
485 | ++#define AD_GC_LDAPS_PORT 3269 |
486 | + |
487 | + #define AD_AT_OBJECT_SID "objectSID" |
488 | + #define AD_AT_DNS_DOMAIN "DnsDomain" |
489 | +@@ -67,6 +68,7 @@ |
490 | + AD_KRB5_CONFD_PATH, |
491 | + AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, |
492 | + AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, |
493 | ++ AD_USE_LDAPS, |
494 | + |
495 | + AD_OPTS_BASIC /* opts counter */ |
496 | + }; |
497 | +@@ -82,6 +84,9 @@ |
498 | + struct sdap_service *sdap; |
499 | + struct sdap_service *gc; |
500 | + struct krb5_service *krb5_service; |
501 | ++ const char *ldap_scheme; |
502 | ++ int port; |
503 | ++ int gc_port; |
504 | + }; |
505 | + |
506 | + struct ad_options { |
507 | +@@ -147,6 +152,7 @@ |
508 | + const char *ad_gc_service, |
509 | + const char *ad_domain, |
510 | + bool use_kdcinfo, |
511 | ++ bool ad_use_ldaps, |
512 | + size_t n_lookahead_primary, |
513 | + size_t n_lookahead_backup, |
514 | + struct ad_service **_service); |
515 | +Index: sssd-2.2.3/src/providers/ad/ad_init.c |
516 | +=================================================================== |
517 | +--- sssd-2.2.3.orig/src/providers/ad/ad_init.c 2020-10-12 17:03:42.800491430 +1300 |
518 | ++++ sssd-2.2.3/src/providers/ad/ad_init.c 2020-10-12 17:03:42.796491375 +1300 |
519 | +@@ -138,6 +138,7 @@ |
520 | + char *ad_servers = NULL; |
521 | + char *ad_backup_servers = NULL; |
522 | + char *ad_realm; |
523 | ++ bool ad_use_ldaps = false; |
524 | + errno_t ret; |
525 | + |
526 | + ad_sasl_initialize(); |
527 | +@@ -154,12 +155,14 @@ |
528 | + ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER); |
529 | + ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); |
530 | + ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM); |
531 | ++ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); |
532 | + |
533 | + /* Set up the failover service */ |
534 | + ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers, |
535 | + ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME, |
536 | + dp_opt_get_string(ad_options->basic, AD_DOMAIN), |
537 | + false, /* will be set in ad_get_auth_options() */ |
538 | ++ ad_use_ldaps, |
539 | + (size_t) -1, |
540 | + (size_t) -1, |
541 | + &ad_options->service); |
542 | +@@ -184,11 +187,13 @@ |
543 | + const char *ad_site_override; |
544 | + bool sites_enabled; |
545 | + errno_t ret; |
546 | ++ bool ad_use_ldaps; |
547 | + |
548 | + hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME); |
549 | + ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN); |
550 | + ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE); |
551 | + sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES); |
552 | ++ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); |
553 | + |
554 | + |
555 | + if (!sites_enabled) { |
556 | +@@ -205,7 +210,8 @@ |
557 | + srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, |
558 | + default_host_dbs, ad_options->id, |
559 | + hostname, ad_domain, |
560 | +- ad_site_override); |
561 | ++ ad_site_override, |
562 | ++ ad_use_ldaps); |
563 | + if (srv_ctx == NULL) { |
564 | + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); |
565 | + return ENOMEM; |
566 | +Index: sssd-2.2.3/src/providers/ad/ad_opts.c |
567 | +=================================================================== |
568 | +--- sssd-2.2.3.orig/src/providers/ad/ad_opts.c 2020-10-12 17:03:42.800491430 +1300 |
569 | ++++ sssd-2.2.3/src/providers/ad/ad_opts.c 2020-10-12 17:03:42.796491375 +1300 |
570 | +@@ -54,6 +54,7 @@ |
571 | + { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING }, |
572 | + { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, |
573 | + { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, |
574 | ++ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, |
575 | + DP_OPTION_TERMINATOR |
576 | + }; |
577 | + |
578 | +Index: sssd-2.2.3/src/providers/ad/ad_srv.c |
579 | +=================================================================== |
580 | +--- sssd-2.2.3.orig/src/providers/ad/ad_srv.c 2020-10-12 17:03:42.800491430 +1300 |
581 | ++++ sssd-2.2.3/src/providers/ad/ad_srv.c 2020-10-12 17:03:42.796491375 +1300 |
582 | +@@ -244,6 +244,7 @@ |
583 | + enum host_database *host_db; |
584 | + struct sdap_options *opts; |
585 | + const char *ad_domain; |
586 | ++ bool ad_use_ldaps; |
587 | + struct fo_server_info *dcs; |
588 | + size_t num_dcs; |
589 | + size_t dc_index; |
590 | +@@ -264,6 +265,7 @@ |
591 | + enum host_database *host_db, |
592 | + struct sdap_options *opts, |
593 | + const char *ad_domain, |
594 | ++ bool ad_use_ldaps, |
595 | + struct fo_server_info *dcs, |
596 | + size_t num_dcs) |
597 | + { |
598 | +@@ -288,6 +290,7 @@ |
599 | + state->host_db = host_db; |
600 | + state->opts = opts; |
601 | + state->ad_domain = ad_domain; |
602 | ++ state->ad_use_ldaps = ad_use_ldaps; |
603 | + state->dcs = dcs; |
604 | + state->num_dcs = num_dcs; |
605 | + |
606 | +@@ -331,8 +334,11 @@ |
607 | + subreq = sdap_connect_host_send(state, state->ev, state->opts, |
608 | + state->be_res->resolv, |
609 | + state->be_res->family_order, |
610 | +- state->host_db, "ldap", state->dc.host, |
611 | +- state->dc.port, false); |
612 | ++ state->host_db, |
613 | ++ state->ad_use_ldaps ? "ldaps" : "ldap", |
614 | ++ state->dc.host, |
615 | ++ state->ad_use_ldaps ? 636 : state->dc.port, |
616 | ++ false); |
617 | + if (subreq == NULL) { |
618 | + ret = ENOMEM; |
619 | + goto done; |
620 | +@@ -491,6 +497,7 @@ |
621 | + const char *ad_domain; |
622 | + const char *ad_site_override; |
623 | + const char *current_site; |
624 | ++ bool ad_use_ldaps; |
625 | + }; |
626 | + |
627 | + struct ad_srv_plugin_ctx * |
628 | +@@ -501,7 +508,8 @@ |
629 | + struct sdap_options *opts, |
630 | + const char *hostname, |
631 | + const char *ad_domain, |
632 | +- const char *ad_site_override) |
633 | ++ const char *ad_site_override, |
634 | ++ bool ad_use_ldaps) |
635 | + { |
636 | + struct ad_srv_plugin_ctx *ctx = NULL; |
637 | + errno_t ret; |
638 | +@@ -515,6 +523,7 @@ |
639 | + ctx->be_res = be_res; |
640 | + ctx->host_dbs = host_dbs; |
641 | + ctx->opts = opts; |
642 | ++ ctx->ad_use_ldaps = ad_use_ldaps; |
643 | + |
644 | + ctx->hostname = talloc_strdup(ctx, hostname); |
645 | + if (ctx->hostname == NULL) { |
646 | +@@ -714,6 +723,7 @@ |
647 | + state->ctx->host_dbs, |
648 | + state->ctx->opts, |
649 | + state->discovery_domain, |
650 | ++ state->ctx->ad_use_ldaps, |
651 | + dcs, num_dcs); |
652 | + if (subreq == NULL) { |
653 | + ret = ENOMEM; |
654 | +Index: sssd-2.2.3/src/providers/ad/ad_srv.h |
655 | +=================================================================== |
656 | +--- sssd-2.2.3.orig/src/providers/ad/ad_srv.h 2020-10-12 17:03:42.800491430 +1300 |
657 | ++++ sssd-2.2.3/src/providers/ad/ad_srv.h 2020-10-12 17:03:42.796491375 +1300 |
658 | +@@ -31,7 +31,8 @@ |
659 | + struct sdap_options *opts, |
660 | + const char *hostname, |
661 | + const char *ad_domain, |
662 | +- const char *ad_site_override); |
663 | ++ const char *ad_site_override, |
664 | ++ bool ad_use_ldaps); |
665 | + |
666 | + struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx, |
667 | + struct tevent_context *ev, |
668 | +Index: sssd-2.2.3/src/providers/ad/ad_subdomains.c |
669 | +=================================================================== |
670 | +--- sssd-2.2.3.orig/src/providers/ad/ad_subdomains.c 2020-10-12 17:03:42.800491430 +1300 |
671 | ++++ sssd-2.2.3/src/providers/ad/ad_subdomains.c 2020-10-12 17:03:42.800491430 +1300 |
672 | +@@ -282,6 +282,7 @@ |
673 | + bool use_kdcinfo = false; |
674 | + size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT; |
675 | + size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT; |
676 | ++ bool ad_use_ldaps = false; |
677 | + |
678 | + realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM); |
679 | + hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME); |
680 | +@@ -312,6 +313,21 @@ |
681 | + return ENOMEM; |
682 | + } |
683 | + |
684 | ++ ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic, |
685 | ++ ad_options->basic, |
686 | ++ be_ctx->cdb, subdom_conf_path, |
687 | ++ AD_USE_LDAPS); |
688 | ++ if (ret != EOK) { |
689 | ++ DEBUG(SSSDBG_CRIT_FAILURE, |
690 | ++ "Failed to inherit option [%s] to sub-domain [%s]. " |
691 | ++ "This error is ignored but might cause issues or unexpected " |
692 | ++ "behavior later on.\n", |
693 | ++ id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name, |
694 | ++ subdom->name); |
695 | ++ |
696 | ++ return ret; |
697 | ++ } |
698 | ++ |
699 | + ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic, |
700 | + ad_options->id->basic, |
701 | + be_ctx->cdb, subdom_conf_path, |
702 | +@@ -344,6 +360,7 @@ |
703 | + |
704 | + servers = dp_opt_get_string(ad_options->basic, AD_SERVER); |
705 | + backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); |
706 | ++ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); |
707 | + |
708 | + if (id_ctx->ad_options->auth_ctx != NULL |
709 | + && id_ctx->ad_options->auth_ctx->opts != NULL) { |
710 | +@@ -362,7 +379,7 @@ |
711 | + |
712 | + ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers, |
713 | + subdom->realm, service_name, gc_service_name, |
714 | +- subdom->name, use_kdcinfo, |
715 | ++ subdom->name, use_kdcinfo, ad_use_ldaps, |
716 | + n_lookahead_primary, |
717 | + n_lookahead_backup, |
718 | + &ad_options->service); |
719 | +@@ -386,7 +403,7 @@ |
720 | + ad_id_ctx->ad_options->id, |
721 | + hostname, |
722 | + ad_domain, |
723 | +- ad_site_override); |
724 | ++ ad_site_override, ad_use_ldaps); |
725 | + if (srv_ctx == NULL) { |
726 | + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); |
727 | + return ENOMEM; |
728 | +Index: sssd-2.2.3/src/providers/ipa/ipa_subdomains_server.c |
729 | +=================================================================== |
730 | +--- sssd-2.2.3.orig/src/providers/ipa/ipa_subdomains_server.c 2020-10-12 17:03:42.800491430 +1300 |
731 | ++++ sssd-2.2.3/src/providers/ipa/ipa_subdomains_server.c 2020-10-12 17:03:42.800491430 +1300 |
732 | +@@ -319,7 +319,7 @@ |
733 | + ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers, |
734 | + subdom->realm, |
735 | + service_name, gc_service_name, |
736 | +- subdom->name, use_kdcinfo, |
737 | ++ subdom->name, use_kdcinfo, false, |
738 | + n_lookahead_primary, n_lookahead_backup, |
739 | + &ad_options->service); |
740 | + if (ret != EOK) { |
741 | +@@ -344,7 +344,7 @@ |
742 | + ad_id_ctx->ad_options->id, |
743 | + id_ctx->server_mode->hostname, |
744 | + ad_domain, |
745 | +- ad_site_override); |
746 | ++ ad_site_override, false); |
747 | + if (srv_ctx == NULL) { |
748 | + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); |
749 | + return ENOMEM; |
750 | diff --git a/debian/patches/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch b/debian/patches/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch |
751 | new file mode 100644 |
752 | index 0000000..52e11a7 |
753 | --- /dev/null |
754 | +++ b/debian/patches/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch |
755 | @@ -0,0 +1,174 @@ |
756 | +Description: ldap: add new option ldap_sasl_maxssf |
757 | +Author: Sumit Bose <sbose@redhat.com> |
758 | +From: Matthew Ruffell <matthew.ruffell@canonical.com> |
759 | +Origin: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5 |
760 | +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 |
761 | +Bug-Ubuntu: https://launchpad.net/bugs/1868703 |
762 | + |
763 | +Index: sssd-2.2.3/src/config/SSSDConfig/__init__.py.in |
764 | +=================================================================== |
765 | +--- sssd-2.2.3.orig/src/config/SSSDConfig/__init__.py.in 2020-10-12 17:03:58.900712608 +1300 |
766 | ++++ sssd-2.2.3/src/config/SSSDConfig/__init__.py.in 2020-10-12 17:03:58.896712553 +1300 |
767 | +@@ -305,6 +305,7 @@ |
768 | + 'ldap_sasl_authid' : _('Specify the sasl authorization id to use'), |
769 | + 'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'), |
770 | + 'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'), |
771 | ++ 'ldap_sasl_maxssf' : _('Specify the maximal SSF for LDAP sasl authorization'), |
772 | + 'ldap_krb5_keytab' : _('Kerberos service keytab'), |
773 | + 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'), |
774 | + 'ldap_referrals' : _('Follow LDAP referrals'), |
775 | +Index: sssd-2.2.3/src/config/cfg_rules.ini |
776 | +=================================================================== |
777 | +--- sssd-2.2.3.orig/src/config/cfg_rules.ini 2020-10-12 17:03:58.900712608 +1300 |
778 | ++++ sssd-2.2.3/src/config/cfg_rules.ini 2020-10-12 17:03:58.896712553 +1300 |
779 | +@@ -663,6 +663,7 @@ |
780 | + option = ldap_sasl_canonicalize |
781 | + option = ldap_sasl_mech |
782 | + option = ldap_sasl_minssf |
783 | ++option = ldap_sasl_maxssf |
784 | + option = ldap_schema |
785 | + option = ldap_pwmodify_mode |
786 | + option = ldap_search_base |
787 | +Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf |
788 | +=================================================================== |
789 | +--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-12 17:03:58.900712608 +1300 |
790 | ++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ad.conf 2020-10-12 17:03:58.896712553 +1300 |
791 | +@@ -41,6 +41,7 @@ |
792 | + ldap_sasl_mech = str, None, false |
793 | + ldap_sasl_authid = str, None, false |
794 | + ldap_sasl_minssf = int, None, false |
795 | ++ldap_sasl_maxssf = int, None, false |
796 | + krb5_kdcip = str, None, false |
797 | + krb5_server = str, None, false |
798 | + krb5_backup_server = str, None, false |
799 | +Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ipa.conf |
800 | +=================================================================== |
801 | +--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ipa.conf 2020-10-12 17:03:58.900712608 +1300 |
802 | ++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ipa.conf 2020-10-12 17:03:58.896712553 +1300 |
803 | +@@ -32,6 +32,7 @@ |
804 | + ldap_sasl_mech = str, None, false |
805 | + ldap_sasl_authid = str, None, false |
806 | + ldap_sasl_minssf = int, None, false |
807 | ++ldap_sasl_maxssf = int, None, false |
808 | + krb5_kdcip = str, None, false |
809 | + krb5_server = str, None, false |
810 | + krb5_backup_server = str, None, false |
811 | +Index: sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ldap.conf |
812 | +=================================================================== |
813 | +--- sssd-2.2.3.orig/src/config/etc/sssd.api.d/sssd-ldap.conf 2020-10-12 17:03:58.900712608 +1300 |
814 | ++++ sssd-2.2.3/src/config/etc/sssd.api.d/sssd-ldap.conf 2020-10-12 17:03:58.896712553 +1300 |
815 | +@@ -35,6 +35,7 @@ |
816 | + ldap_deref_threshold = int, None, false |
817 | + ldap_sasl_canonicalize = bool, None, false |
818 | + ldap_sasl_minssf = int, None, false |
819 | ++ldap_sasl_maxssf = int, None, false |
820 | + ldap_connection_expire_timeout = int, None, false |
821 | + ldap_disable_paging = bool, None, false |
822 | + ldap_disable_range_retrieval = bool, None, false |
823 | +Index: sssd-2.2.3/src/man/sssd-ldap.5.xml |
824 | +=================================================================== |
825 | +--- sssd-2.2.3.orig/src/man/sssd-ldap.5.xml 2020-10-12 17:03:58.900712608 +1300 |
826 | ++++ sssd-2.2.3/src/man/sssd-ldap.5.xml 2020-10-12 17:03:58.896712553 +1300 |
827 | +@@ -594,6 +594,22 @@ |
828 | + </varlistentry> |
829 | + |
830 | + <varlistentry> |
831 | ++ <term>ldap_sasl_maxssf (integer)</term> |
832 | ++ <listitem> |
833 | ++ <para> |
834 | ++ When communicating with an LDAP server using SASL, |
835 | ++ specify the maximal security level necessary to |
836 | ++ establish the connection. The values of this |
837 | ++ option are defined by OpenLDAP. |
838 | ++ </para> |
839 | ++ <para> |
840 | ++ Default: Use the system default (usually specified |
841 | ++ by ldap.conf) |
842 | ++ </para> |
843 | ++ </listitem> |
844 | ++ </varlistentry> |
845 | ++ |
846 | ++ <varlistentry> |
847 | + <term>ldap_deref_threshold (integer)</term> |
848 | + <listitem> |
849 | + <para> |
850 | +Index: sssd-2.2.3/src/providers/ad/ad_opts.c |
851 | +=================================================================== |
852 | +--- sssd-2.2.3.orig/src/providers/ad/ad_opts.c 2020-10-12 17:03:58.900712608 +1300 |
853 | ++++ sssd-2.2.3/src/providers/ad/ad_opts.c 2020-10-12 17:03:58.896712553 +1300 |
854 | +@@ -105,6 +105,7 @@ |
855 | + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |
856 | + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |
857 | + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, |
858 | ++ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, |
859 | + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |
860 | + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, |
861 | + /* use the same parm name as the krb5 module so we set it only once */ |
862 | +Index: sssd-2.2.3/src/providers/ipa/ipa_opts.c |
863 | +=================================================================== |
864 | +--- sssd-2.2.3.orig/src/providers/ipa/ipa_opts.c 2020-10-12 17:03:58.900712608 +1300 |
865 | ++++ sssd-2.2.3/src/providers/ipa/ipa_opts.c 2020-10-12 17:03:58.896712553 +1300 |
866 | +@@ -114,6 +114,7 @@ |
867 | + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |
868 | + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |
869 | + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER }, |
870 | ++ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, |
871 | + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |
872 | + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, |
873 | + /* use the same parm name as the krb5 module so we set it only once */ |
874 | +Index: sssd-2.2.3/src/providers/ldap/ldap_opts.c |
875 | +=================================================================== |
876 | +--- sssd-2.2.3.orig/src/providers/ldap/ldap_opts.c 2020-10-12 17:03:58.900712608 +1300 |
877 | ++++ sssd-2.2.3/src/providers/ldap/ldap_opts.c 2020-10-12 17:03:58.900712608 +1300 |
878 | +@@ -74,6 +74,7 @@ |
879 | + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |
880 | + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |
881 | + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, |
882 | ++ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, |
883 | + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |
884 | + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, |
885 | + /* use the same parm name as the krb5 module so we set it only once */ |
886 | +Index: sssd-2.2.3/src/providers/ldap/sdap.h |
887 | +=================================================================== |
888 | +--- sssd-2.2.3.orig/src/providers/ldap/sdap.h 2020-10-12 17:03:58.900712608 +1300 |
889 | ++++ sssd-2.2.3/src/providers/ldap/sdap.h 2020-10-12 17:03:58.900712608 +1300 |
890 | +@@ -192,6 +192,7 @@ |
891 | + SDAP_SASL_AUTHID, |
892 | + SDAP_SASL_REALM, |
893 | + SDAP_SASL_MINSSF, |
894 | ++ SDAP_SASL_MAXSSF, |
895 | + SDAP_KRB5_KEYTAB, |
896 | + SDAP_KRB5_KINIT, |
897 | + SDAP_KRB5_KDC, |
898 | +Index: sssd-2.2.3/src/providers/ldap/sdap_async_connection.c |
899 | +=================================================================== |
900 | +--- sssd-2.2.3.orig/src/providers/ldap/sdap_async_connection.c 2020-10-12 17:03:58.900712608 +1300 |
901 | ++++ sssd-2.2.3/src/providers/ldap/sdap_async_connection.c 2020-10-12 17:03:58.900712608 +1300 |
902 | +@@ -148,6 +148,8 @@ |
903 | + const char *sasl_mech; |
904 | + int sasl_minssf; |
905 | + ber_len_t ber_sasl_minssf; |
906 | ++ int sasl_maxssf; |
907 | ++ ber_len_t ber_sasl_maxssf; |
908 | + |
909 | + ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd); |
910 | + talloc_zfree(subreq); |
911 | +@@ -291,6 +293,18 @@ |
912 | + goto fail; |
913 | + } |
914 | + } |
915 | ++ |
916 | ++ sasl_maxssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MAXSSF); |
917 | ++ if (sasl_maxssf >= 0) { |
918 | ++ ber_sasl_maxssf = (ber_len_t)sasl_maxssf; |
919 | ++ lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MAX, |
920 | ++ &ber_sasl_maxssf); |
921 | ++ if (lret != LDAP_OPT_SUCCESS) { |
922 | ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MAX SSF option " |
923 | ++ "to %d\n", sasl_maxssf); |
924 | ++ goto fail; |
925 | ++ } |
926 | ++ } |
927 | + } |
928 | + |
929 | + /* if we do not use start_tls the connection is not really connected yet |
930 | diff --git a/debian/patches/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch b/debian/patches/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch |
931 | new file mode 100644 |
932 | index 0000000..d750386 |
933 | --- /dev/null |
934 | +++ b/debian/patches/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch |
935 | @@ -0,0 +1,68 @@ |
936 | +Description: ad: set min and max ssf for ldaps |
937 | +Author: Sumit Bose <sbose@redhat.com> |
938 | +From: Matthew Ruffell <matthew.ruffell@canonical.com> |
939 | +Origin: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
940 | +Bug: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 |
941 | +Bug-Ubuntu: https://launchpad.net/bugs/1868703 |
942 | + |
943 | +--- a/src/providers/ad/ad_common.c |
944 | ++++ b/src/providers/ad/ad_common.c |
945 | +@@ -1021,6 +1021,23 @@ |
946 | + return; |
947 | + } |
948 | + |
949 | ++void ad_set_ssf_for_ldaps(struct sdap_options *id_opts) |
950 | ++{ |
951 | ++ int ret; |
952 | ++ |
953 | ++ DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n"); |
954 | ++ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0); |
955 | ++ if (ret != EOK) { |
956 | ++ DEBUG(SSSDBG_CRIT_FAILURE, |
957 | ++ "Failed to set SASL minssf for ldaps usage, ignored.\n"); |
958 | ++ } |
959 | ++ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0); |
960 | ++ if (ret != EOK) { |
961 | ++ DEBUG(SSSDBG_CRIT_FAILURE, |
962 | ++ "Failed to set SASL maxssf for ldaps usage, ignored.\n"); |
963 | ++ } |
964 | ++} |
965 | ++ |
966 | + static errno_t |
967 | + ad_set_sdap_options(struct ad_options *ad_opts, |
968 | + struct sdap_options *id_opts) |
969 | +@@ -1079,6 +1096,10 @@ |
970 | + goto done; |
971 | + } |
972 | + |
973 | ++ if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) { |
974 | ++ ad_set_ssf_for_ldaps(id_opts); |
975 | ++ } |
976 | ++ |
977 | + /* Warn if the user is doing something silly like overriding the schema |
978 | + * with the AD provider |
979 | + */ |
980 | +--- a/src/providers/ad/ad_common.h |
981 | ++++ b/src/providers/ad/ad_common.h |
982 | +@@ -181,6 +181,8 @@ |
983 | + ad_get_dyndns_options(struct be_ctx *be_ctx, |
984 | + struct ad_options *ad_opts); |
985 | + |
986 | ++void ad_set_ssf_for_ldaps(struct sdap_options *id_opts); |
987 | ++ |
988 | + struct ad_id_ctx * |
989 | + ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx); |
990 | + |
991 | +--- a/src/providers/ad/ad_subdomains.c |
992 | ++++ b/src/providers/ad/ad_subdomains.c |
993 | +@@ -328,6 +328,10 @@ |
994 | + return ret; |
995 | + } |
996 | + |
997 | ++ if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) { |
998 | ++ ad_set_ssf_for_ldaps(ad_options->id); |
999 | ++ } |
1000 | ++ |
1001 | + ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic, |
1002 | + ad_options->id->basic, |
1003 | + be_ctx->cdb, subdom_conf_path, |
1004 | diff --git a/debian/patches/series b/debian/patches/series |
1005 | index 9ec26db..4b402cf 100644 |
1006 | --- a/debian/patches/series |
1007 | +++ b/debian/patches/series |
1008 | @@ -2,3 +2,7 @@ fix-python3.8-ftbfs.diff |
1009 | fix-whitespace-test.diff |
1010 | default-to-socket-activated-services.diff |
1011 | fix-946847.diff |
1012 | +lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch |
1013 | +lp-1868703-02-ad-add-ad_use_ldaps.patch |
1014 | +lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch |
1015 | +lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch |
1016 | diff --git a/debian/rules b/debian/rules |
1017 | old mode 100755 |
1018 | new mode 100644 |
1019 | index b5d46e2..02a0b29 |
1020 | --- a/debian/rules |
1021 | +++ b/debian/rules |
1022 | @@ -34,6 +34,7 @@ override_dh_auto_configure: |
1023 | --disable-static \ |
1024 | --disable-rpath \ |
1025 | --with-autofs \ |
1026 | + --with-crypto=libcrypto \ |
1027 | --with-ssh \ |
1028 | --with-initscript=systemd \ |
1029 | --with-systemdunitdir=/lib/systemd/system \ |
1030 | @@ -42,6 +43,14 @@ override_dh_auto_configure: |
1031 | --without-python2-bindings \ |
1032 | --with-sudo |
1033 | |
1034 | +override_dh_auto_build: |
1035 | + dh_auto_build |
1036 | + |
1037 | + mkdir -p $(CURDIR)/debian/build |
1038 | + $(CC) $(CURDIR)/debian/nss-database-pem-exporter/nss-database-pem-exporter.c \ |
1039 | + $(shell pkg-config --cflags --libs nss) -o \ |
1040 | + $(CURDIR)/debian/build/nss-database-pem-exporter |
1041 | + |
1042 | override_dh_auto_test: |
1043 | export CK_TIMEOUT_MULTIPLIER=10 |
1044 | dh_auto_test -- VERBOSE=yes |
1045 | @@ -50,6 +59,9 @@ override_dh_auto_test: |
1046 | override_dh_auto_install: |
1047 | dh_auto_install --max-parallel=1 |
1048 | |
1049 | + install -m755 -D $(CURDIR)/debian/build/nss-database-pem-exporter \ |
1050 | + -t $(CURDIR)/debian/tmp/usr/libexec/sssd/ |
1051 | + |
1052 | override_dh_fixperms: |
1053 | dh_fixperms -Xkrb5_child -Xldap_child -Xselinux_child |
1054 | |
1055 | @@ -102,3 +114,4 @@ override_dh_auto_clean: |
1056 | rm -f $(CURDIR)/src/config/*.pyc |
1057 | rm -f $(CURDIR)/po/stamp-po |
1058 | rm -f $(CURDIR)/src/sbus/codegen/__pycache__/*.pyc |
1059 | + rm -rf $(CURDIR)/debian/build |
1060 | diff --git a/debian/sssd-common.install b/debian/sssd-common.install |
1061 | index e0f8ad4..fafdab6 100644 |
1062 | --- a/debian/sssd-common.install |
1063 | +++ b/debian/sssd-common.install |
1064 | @@ -40,6 +40,7 @@ usr/lib/*/sssd/libsss_util.so |
1065 | usr/lib/*/sssd/modules/libsss_autofs.so |
1066 | usr/lib/*/sssd/modules/sssd_krb5_localauth_plugin.so |
1067 | usr/libexec/sssd/p11_child |
1068 | +usr/libexec/sssd/nss-database-pem-exporter |
1069 | usr/libexec/sssd/sss_signal |
1070 | usr/libexec/sssd/sssd_autofs |
1071 | usr/libexec/sssd/sssd_be |
1072 | diff --git a/debian/sssd-common.postinst b/debian/sssd-common.postinst |
1073 | index 295d6a2..6074752 100644 |
1074 | --- a/debian/sssd-common.postinst |
1075 | +++ b/debian/sssd-common.postinst |
1076 | @@ -20,6 +20,46 @@ set -e |
1077 | OUT=/dev/null |
1078 | HOME=/var/lib/sss |
1079 | LIBDIR=/usr/libexec/sssd |
1080 | +CA_CERTS_NSSDB=/etc/pki/nssdb |
1081 | +CA_CERTS_CHAIN=/etc/sssd/pki/sssd_auth_ca_db.pem |
1082 | + |
1083 | +get_config_value() |
1084 | +{ |
1085 | + if [ ! -f /etc/sssd/sssd.conf ]; then |
1086 | + return 0 |
1087 | + fi |
1088 | + |
1089 | + awk -F '=' '{if (! ($0 ~ /^;/) && ! ($0 ~ /^#/) && $0 ~ /'"$1"'/) print $2}' \ |
1090 | + /etc/sssd/sssd.conf | tr -d ' ' | tail -n1 |
1091 | +} |
1092 | + |
1093 | +is_pem_file() |
1094 | +{ |
1095 | + [ -f "$1" ] && \ |
1096 | + grep -qsI -- "-----BEGIN CERTIFICATE-----" "$1" && \ |
1097 | + grep -qsI -- "-----END CERTIFICATE-----" "$1" |
1098 | +} |
1099 | + |
1100 | +import_nss_ca_certs() |
1101 | +{ |
1102 | + nssdb="$1" |
1103 | + |
1104 | + if is_pem_file "$nssdb"; then |
1105 | + return 1 |
1106 | + fi |
1107 | + |
1108 | + if [ -n "$nssdb" ]; then |
1109 | + echo "Importing $nssdb CA certificates to $CA_CERTS_CHAIN" |
1110 | + env NSS_DATABASE="$nssdb" \ |
1111 | + $LIBDIR/nss-database-pem-exporter >> "$CA_CERTS_CHAIN" |
1112 | + fi |
1113 | +} |
1114 | + |
1115 | +disable_setting() |
1116 | +{ |
1117 | + echo "Disabling sssd.conf setting using invalid value: '$1'" |
1118 | + sed -i 's/^[^#;]*'"$1"'\b/#&/' /etc/sssd/sssd.conf || true |
1119 | +} |
1120 | |
1121 | case "$1" in |
1122 | configure) |
1123 | @@ -41,6 +81,7 @@ case "$1" in |
1124 | /etc/sssd \ |
1125 | /var/log/sssd |
1126 | chown root:sssd $LIBDIR/p11_child |
1127 | + chown root:sssd $LIBDIR/nss-database-pem-exporter |
1128 | |
1129 | chmod 4754 $LIBDIR/p11_child |
1130 | chmod 755 $HOME/gpo_cache $HOME/mc $HOME/pipes $HOME/pubconf |
1131 | @@ -52,6 +93,29 @@ case "$1" in |
1132 | chown root:root /etc/sssd/sssd.conf |
1133 | chmod 0600 /etc/sssd/sssd.conf |
1134 | fi |
1135 | + |
1136 | + if dpkg --compare-versions "$2" lt-nl 2.2.3-3ubuntu0.2; then |
1137 | + # When upgrading (only), we may need to migrate the NSS |
1138 | + # database entries |
1139 | + ca_db=$(get_config_value ca_db) |
1140 | + pam_cert_db_path=$(get_config_value pam_cert_db_path) |
1141 | + |
1142 | + mkdir -p -m711 "$(dirname "$CA_CERTS_CHAIN")" |
1143 | + |
1144 | + nss_db="$ca_db" |
1145 | + [ -z "$nss_db" ] && [ -d "$CA_CERTS_NSSDB" ] && nss_db="$CA_CERTS_NSSDB" |
1146 | + |
1147 | + if import_nss_ca_certs "$nss_db"; then |
1148 | + [ "$nss_db" = "$ca_db" ] && \ |
1149 | + disable_setting 'ca_db' |
1150 | + fi |
1151 | + |
1152 | + if [ "$pam_cert_db_path" != "$nss_db" ]; then |
1153 | + if import_nss_ca_certs "$pam_cert_db_path"; then |
1154 | + disable_setting 'pam_cert_db_path' |
1155 | + fi |
1156 | + fi |
1157 | + fi |
1158 | ;; |
1159 | |
1160 | abort-upgrade|abort-remove|abort-deconfigure) |