Linux-NFS Archive on lore.kernel.org
 help / color / Atom feed
* [nfs-utils:nfsidmap PATCH] Add LDAP_tls_reqcert tunable to idmapd.conf.
@ 2019-05-22 12:05 Srikrishan Malik
  2019-05-23 13:54 ` Steve Dickson
  0 siblings, 1 reply; 4+ messages in thread
From: Srikrishan Malik @ 2019-05-22 12:05 UTC (permalink / raw)
  To: unlisted-recipients:; (no To-header on input); +Cc: linux-nfs, Srikrishan Malik

This tunable will control the checks on server certs for a TLS session
similar to ldap.conf(5).
LDAP_ca_cert can be skipped if LDAP_tls_reqcert is set to "never"

Signed-off-by: Srikrishan Malik <srikrishanmalik@gmail.com>
---
 support/nfsidmap/umich_ldap.c | 57 +++++++++++++++++++++++++++++------
 1 file changed, 47 insertions(+), 10 deletions(-)

diff --git a/support/nfsidmap/umich_ldap.c b/support/nfsidmap/umich_ldap.c
index 10d1d979..b7445c37 100644
--- a/support/nfsidmap/umich_ldap.c
+++ b/support/nfsidmap/umich_ldap.c
@@ -100,6 +100,7 @@ struct umich_ldap_info {
 	char *passwd;		/* Password to use when binding to directory */
 	int use_ssl;		/* SSL flag */
 	char *ca_cert;		/* File location of the ca_cert */
+	int tls_reqcert;	/* req and validate server cert */
 	int memberof_for_groups;/* Use 'memberof' attribute when
 				   looking up user groups */
 	int ldap_timeout;	/* Timeout in seconds for searches
@@ -118,6 +119,7 @@ static struct umich_ldap_info ldap_info = {
 	.passwd = NULL,
 	.use_ssl = 0,
 	.ca_cert = NULL,
+	.tls_reqcert = LDAP_OPT_X_TLS_HARD,
 	.memberof_for_groups = 0,
 	.ldap_timeout = DEFAULT_UMICH_SEARCH_TIMEOUT,
 };
@@ -153,7 +155,7 @@ ldap_init_and_bind(LDAP **pld,
 	LDAPAPIInfo apiinfo = {.ldapai_info_version = LDAP_API_INFO_VERSION};
 
 	snprintf(server_url, sizeof(server_url), "%s://%s:%d",
-		 (linfo->use_ssl && linfo->ca_cert) ? "ldaps" : "ldap",
+		 (linfo->use_ssl) ? "ldaps" : "ldap",
 		 linfo->server, linfo->port);
 
 	/*
@@ -208,9 +210,8 @@ ldap_init_and_bind(LDAP **pld,
 	}
 
 	/* Set option to to use SSL/TLS if requested */
-	if (linfo->use_ssl && linfo->ca_cert) {
+	if (linfo->use_ssl) {
 		int tls_type = LDAP_OPT_X_TLS_HARD;
-
 		lerr = ldap_set_option(ld, LDAP_OPT_X_TLS, &tls_type);
 		if (lerr != LDAP_SUCCESS) {
 			IDMAP_LOG(2, ("ldap_init_and_bind: setting SSL "
@@ -218,11 +219,23 @@ ldap_init_and_bind(LDAP **pld,
 				  ldap_err2string(lerr), lerr));
 			goto out;
 		}
-		lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
-				       linfo->ca_cert);
+
+		if (linfo->ca_cert != NULL) {
+			lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
+					       linfo->ca_cert);
+			if (lerr != LDAP_SUCCESS) {
+				IDMAP_LOG(2, ("ldap_init_and_bind: setting CA "
+					  "certificate file failed : %s (%d)",
+					  ldap_err2string(lerr), lerr));
+				goto out;
+			}
+		}
+
+		lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
+				       &linfo->tls_reqcert);
 		if (lerr != LDAP_SUCCESS) {
-			IDMAP_LOG(2, ("ldap_init_and_bind: setting CA "
-				  "certificate file failed : %s (%d)",
+			IDMAP_LOG(2, ("ldap_init_and_bind: setting "
+				      "req CA cert failed : %s(%d)",
 				  ldap_err2string(lerr), lerr));
 			goto out;
 		}
@@ -1098,7 +1111,7 @@ out_err:
 static int
 umichldap_init(void)
 {
-	char *tssl, *canonicalize, *memberof;
+	char *tssl, *canonicalize, *memberof, *cert_req;
 	char missing_msg[128] = "";
 	char *server_in, *canon_name;
 
@@ -1119,6 +1132,24 @@ umichldap_init(void)
 	else
 		ldap_info.use_ssl = 0;
 	ldap_info.ca_cert = conf_get_str(LDAP_SECTION, "LDAP_CA_CERT");
+	cert_req = conf_get_str(LDAP_SECTION, "LDAP_tls_reqcert");
+	if (cert_req != NULL) {
+		if (strcasecmp(cert_req, "hard") == 0)
+			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_HARD;
+		else if (strcasecmp(cert_req, "demand") == 0)
+			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_DEMAND;
+		else if (strcasecmp(cert_req, "try") == 0)
+			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_TRY;
+		else if (strcasecmp(cert_req, "allow") == 0)
+			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_ALLOW;
+		else if (strcasecmp(cert_req, "never") == 0)
+			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_NEVER;
+		else {
+			IDMAP_LOG(0, ("umichldap_init: Invalid value(%s) for "
+				      "LDAP_tls_reqcert."));
+			goto fail;
+		}
+	}
 	/* vary the default port depending on whether they use SSL or not */
 	ldap_info.port = conf_get_num(LDAP_SECTION, "LDAP_port",
 				      (ldap_info.use_ssl) ?
@@ -1230,9 +1261,12 @@ umichldap_init(void)
 	if (ldap_info.group_tree == NULL || strlen(ldap_info.group_tree) == 0)
 		ldap_info.group_tree = ldap_info.base;
 
-	if (ldap_info.use_ssl && ldap_info.ca_cert == NULL) {
+	if (ldap_info.use_ssl &&
+	    ldap_info.tls_reqcert != LDAP_OPT_X_TLS_NEVER &&
+	    ldap_info.ca_cert == NULL) {
 		IDMAP_LOG(0, ("umichldap_init: You must specify LDAP_ca_cert "
-			  "with LDAP_use_ssl=yes"));
+			  "with LDAP_use_ssl=yes and "
+			  "LDAP_tls_reqcert not set to \"never\""));
 		goto fail;
 	}
 
@@ -1257,6 +1291,9 @@ umichldap_init(void)
 		  ldap_info.use_ssl ? "yes" : "no"));
 	IDMAP_LOG(1, ("umichldap_init: ca_cert : %s",
 		  ldap_info.ca_cert ? ldap_info.ca_cert : "<not-supplied>"));
+	IDMAP_LOG(1, ("umichldap_init: tls_reqcert : %s(%d)",
+		  cert_req ? cert_req : "<not-supplied>",
+		  ldap_info.tls_reqcert));
 	IDMAP_LOG(1, ("umichldap_init: use_memberof_for_groups : %s",
 		  ldap_info.memberof_for_groups ? "yes" : "no"));
 
-- 
2.21.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [nfs-utils:nfsidmap PATCH] Add LDAP_tls_reqcert tunable to idmapd.conf.
  2019-05-22 12:05 [nfs-utils:nfsidmap PATCH] Add LDAP_tls_reqcert tunable to idmapd.conf Srikrishan Malik
@ 2019-05-23 13:54 ` Steve Dickson
  2019-05-23 16:10   ` [nfs-utils:nfsidmap PATCH v2] " Srikrishan Malik
  0 siblings, 1 reply; 4+ messages in thread
From: Steve Dickson @ 2019-05-23 13:54 UTC (permalink / raw)
  To: Srikrishan Malik; +Cc: linux-nfs

Hello Srikrishan,

On 5/22/19 8:05 AM, Srikrishan Malik wrote:
> This tunable will control the checks on server certs for a TLS session
> similar to ldap.conf(5).
> LDAP_ca_cert can be skipped if LDAP_tls_reqcert is set to "never"
> 
> Signed-off-by: Srikrishan Malik <srikrishanmalik@gmail.com>
Would it be possible to added LDAP_tls_reqcert to idmap.conf, 
commented out and explaining what it does? Similar to the other 
commented out LDAP variables in that file.

steved.

> ---
>  support/nfsidmap/umich_ldap.c | 57 +++++++++++++++++++++++++++++------
>  1 file changed, 47 insertions(+), 10 deletions(-)
> 
> diff --git a/support/nfsidmap/umich_ldap.c b/support/nfsidmap/umich_ldap.c
> index 10d1d979..b7445c37 100644
> --- a/support/nfsidmap/umich_ldap.c
> +++ b/support/nfsidmap/umich_ldap.c
> @@ -100,6 +100,7 @@ struct umich_ldap_info {
>  	char *passwd;		/* Password to use when binding to directory */
>  	int use_ssl;		/* SSL flag */
>  	char *ca_cert;		/* File location of the ca_cert */
> +	int tls_reqcert;	/* req and validate server cert */
>  	int memberof_for_groups;/* Use 'memberof' attribute when
>  				   looking up user groups */
>  	int ldap_timeout;	/* Timeout in seconds for searches
> @@ -118,6 +119,7 @@ static struct umich_ldap_info ldap_info = {
>  	.passwd = NULL,
>  	.use_ssl = 0,
>  	.ca_cert = NULL,
> +	.tls_reqcert = LDAP_OPT_X_TLS_HARD,
>  	.memberof_for_groups = 0,
>  	.ldap_timeout = DEFAULT_UMICH_SEARCH_TIMEOUT,
>  };
> @@ -153,7 +155,7 @@ ldap_init_and_bind(LDAP **pld,
>  	LDAPAPIInfo apiinfo = {.ldapai_info_version = LDAP_API_INFO_VERSION};
>  
>  	snprintf(server_url, sizeof(server_url), "%s://%s:%d",
> -		 (linfo->use_ssl && linfo->ca_cert) ? "ldaps" : "ldap",
> +		 (linfo->use_ssl) ? "ldaps" : "ldap",
>  		 linfo->server, linfo->port);
>  
>  	/*
> @@ -208,9 +210,8 @@ ldap_init_and_bind(LDAP **pld,
>  	}
>  
>  	/* Set option to to use SSL/TLS if requested */
> -	if (linfo->use_ssl && linfo->ca_cert) {
> +	if (linfo->use_ssl) {
>  		int tls_type = LDAP_OPT_X_TLS_HARD;
> -
>  		lerr = ldap_set_option(ld, LDAP_OPT_X_TLS, &tls_type);
>  		if (lerr != LDAP_SUCCESS) {
>  			IDMAP_LOG(2, ("ldap_init_and_bind: setting SSL "
> @@ -218,11 +219,23 @@ ldap_init_and_bind(LDAP **pld,
>  				  ldap_err2string(lerr), lerr));
>  			goto out;
>  		}
> -		lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
> -				       linfo->ca_cert);
> +
> +		if (linfo->ca_cert != NULL) {
> +			lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
> +					       linfo->ca_cert);
> +			if (lerr != LDAP_SUCCESS) {
> +				IDMAP_LOG(2, ("ldap_init_and_bind: setting CA "
> +					  "certificate file failed : %s (%d)",
> +					  ldap_err2string(lerr), lerr));
> +				goto out;
> +			}
> +		}
> +
> +		lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
> +				       &linfo->tls_reqcert);
>  		if (lerr != LDAP_SUCCESS) {
> -			IDMAP_LOG(2, ("ldap_init_and_bind: setting CA "
> -				  "certificate file failed : %s (%d)",
> +			IDMAP_LOG(2, ("ldap_init_and_bind: setting "
> +				      "req CA cert failed : %s(%d)",
>  				  ldap_err2string(lerr), lerr));
>  			goto out;
>  		}
> @@ -1098,7 +1111,7 @@ out_err:
>  static int
>  umichldap_init(void)
>  {
> -	char *tssl, *canonicalize, *memberof;
> +	char *tssl, *canonicalize, *memberof, *cert_req;
>  	char missing_msg[128] = "";
>  	char *server_in, *canon_name;
>  
> @@ -1119,6 +1132,24 @@ umichldap_init(void)
>  	else
>  		ldap_info.use_ssl = 0;
>  	ldap_info.ca_cert = conf_get_str(LDAP_SECTION, "LDAP_CA_CERT");
> +	cert_req = conf_get_str(LDAP_SECTION, "LDAP_tls_reqcert");
> +	if (cert_req != NULL) {
> +		if (strcasecmp(cert_req, "hard") == 0)
> +			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_HARD;
> +		else if (strcasecmp(cert_req, "demand") == 0)
> +			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_DEMAND;
> +		else if (strcasecmp(cert_req, "try") == 0)
> +			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_TRY;
> +		else if (strcasecmp(cert_req, "allow") == 0)
> +			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_ALLOW;
> +		else if (strcasecmp(cert_req, "never") == 0)
> +			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_NEVER;
> +		else {
> +			IDMAP_LOG(0, ("umichldap_init: Invalid value(%s) for "
> +				      "LDAP_tls_reqcert."));
> +			goto fail;
> +		}
> +	}
>  	/* vary the default port depending on whether they use SSL or not */
>  	ldap_info.port = conf_get_num(LDAP_SECTION, "LDAP_port",
>  				      (ldap_info.use_ssl) ?
> @@ -1230,9 +1261,12 @@ umichldap_init(void)
>  	if (ldap_info.group_tree == NULL || strlen(ldap_info.group_tree) == 0)
>  		ldap_info.group_tree = ldap_info.base;
>  
> -	if (ldap_info.use_ssl && ldap_info.ca_cert == NULL) {
> +	if (ldap_info.use_ssl &&
> +	    ldap_info.tls_reqcert != LDAP_OPT_X_TLS_NEVER &&
> +	    ldap_info.ca_cert == NULL) {
>  		IDMAP_LOG(0, ("umichldap_init: You must specify LDAP_ca_cert "
> -			  "with LDAP_use_ssl=yes"));
> +			  "with LDAP_use_ssl=yes and "
> +			  "LDAP_tls_reqcert not set to \"never\""));
>  		goto fail;
>  	}
>  
> @@ -1257,6 +1291,9 @@ umichldap_init(void)
>  		  ldap_info.use_ssl ? "yes" : "no"));
>  	IDMAP_LOG(1, ("umichldap_init: ca_cert : %s",
>  		  ldap_info.ca_cert ? ldap_info.ca_cert : "<not-supplied>"));
> +	IDMAP_LOG(1, ("umichldap_init: tls_reqcert : %s(%d)",
> +		  cert_req ? cert_req : "<not-supplied>",
> +		  ldap_info.tls_reqcert));
>  	IDMAP_LOG(1, ("umichldap_init: use_memberof_for_groups : %s",
>  		  ldap_info.memberof_for_groups ? "yes" : "no"));
>  
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [nfs-utils:nfsidmap PATCH v2] Add LDAP_tls_reqcert tunable to idmapd.conf.
  2019-05-23 13:54 ` Steve Dickson
@ 2019-05-23 16:10   ` " Srikrishan Malik
  2019-05-23 17:42     ` Steve Dickson
  0 siblings, 1 reply; 4+ messages in thread
From: Srikrishan Malik @ 2019-05-23 16:10 UTC (permalink / raw)
  To: unlisted-recipients:; (no To-header on input); +Cc: linux-nfs, Srikrishan Malik

This tunable will control the checks on server certs for a TLS session
similar to ldap.conf(5).
LDAP_ca_cert can be skipped if LDAP_tls_reqcert is set to "never"

Signed-off-by: Srikrishan Malik <srikrishanmalik@gmail.com>
---
 support/nfsidmap/idmapd.conf   |  8 ++++-
 support/nfsidmap/idmapd.conf.5 | 11 ++++++-
 support/nfsidmap/umich_ldap.c  | 57 ++++++++++++++++++++++++++++------
 3 files changed, 64 insertions(+), 12 deletions(-)

diff --git a/support/nfsidmap/idmapd.conf b/support/nfsidmap/idmapd.conf
index f07286c3..b673c7d7 100644
--- a/support/nfsidmap/idmapd.conf
+++ b/support/nfsidmap/idmapd.conf
@@ -101,7 +101,13 @@ LDAP_base = dc=local,dc=domain,dc=edu
 # Set to true to enable SSL - anything else is not enabled
 #LDAP_use_ssl = false
 
-# You must specify a CA certificate location if you enable SSL
+# Controls the LDAP server certificate validation behavior
+# It can take the same values as ldap.conf(5)'s TLS_REQCERT
+# tunable
+#LDAP_tls_reqcert = "hard"
+
+# Location of CA certificate, mandatory if LDAP_tls_reqcert
+# is not set to "never"
 #LDAP_ca_cert = /etc/ldapca.cert
 
 # Objectclass mapping information
diff --git a/support/nfsidmap/idmapd.conf.5 b/support/nfsidmap/idmapd.conf.5
index 9a6457e2..61fbb613 100644
--- a/support/nfsidmap/idmapd.conf.5
+++ b/support/nfsidmap/idmapd.conf.5
@@ -195,7 +195,16 @@ Set to "true" to enable SSL communication with the LDAP server.
 Location of a trusted CA certificate used when SSL is enabled
 (Required if
 .B LDAP_use_ssl
-is true)
+is true and
+.B LDAP_tls_reqcert
+is not set to never)
+.TP
+.B LDAP_tls_reqcert
+Controls the LDAP server certificate validation behavior.
+It can take the same values as ldap.conf(5)'s
+.B TLS_REQCERT
+tunable.
+(Default: "hard")
 .TP
 .B NFSv4_person_objectclass
 The object class name for people accounts in your local LDAP schema
diff --git a/support/nfsidmap/umich_ldap.c b/support/nfsidmap/umich_ldap.c
index 10d1d979..b7445c37 100644
--- a/support/nfsidmap/umich_ldap.c
+++ b/support/nfsidmap/umich_ldap.c
@@ -100,6 +100,7 @@ struct umich_ldap_info {
 	char *passwd;		/* Password to use when binding to directory */
 	int use_ssl;		/* SSL flag */
 	char *ca_cert;		/* File location of the ca_cert */
+	int tls_reqcert;	/* req and validate server cert */
 	int memberof_for_groups;/* Use 'memberof' attribute when
 				   looking up user groups */
 	int ldap_timeout;	/* Timeout in seconds for searches
@@ -118,6 +119,7 @@ static struct umich_ldap_info ldap_info = {
 	.passwd = NULL,
 	.use_ssl = 0,
 	.ca_cert = NULL,
+	.tls_reqcert = LDAP_OPT_X_TLS_HARD,
 	.memberof_for_groups = 0,
 	.ldap_timeout = DEFAULT_UMICH_SEARCH_TIMEOUT,
 };
@@ -153,7 +155,7 @@ ldap_init_and_bind(LDAP **pld,
 	LDAPAPIInfo apiinfo = {.ldapai_info_version = LDAP_API_INFO_VERSION};
 
 	snprintf(server_url, sizeof(server_url), "%s://%s:%d",
-		 (linfo->use_ssl && linfo->ca_cert) ? "ldaps" : "ldap",
+		 (linfo->use_ssl) ? "ldaps" : "ldap",
 		 linfo->server, linfo->port);
 
 	/*
@@ -208,9 +210,8 @@ ldap_init_and_bind(LDAP **pld,
 	}
 
 	/* Set option to to use SSL/TLS if requested */
-	if (linfo->use_ssl && linfo->ca_cert) {
+	if (linfo->use_ssl) {
 		int tls_type = LDAP_OPT_X_TLS_HARD;
-
 		lerr = ldap_set_option(ld, LDAP_OPT_X_TLS, &tls_type);
 		if (lerr != LDAP_SUCCESS) {
 			IDMAP_LOG(2, ("ldap_init_and_bind: setting SSL "
@@ -218,11 +219,23 @@ ldap_init_and_bind(LDAP **pld,
 				  ldap_err2string(lerr), lerr));
 			goto out;
 		}
-		lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
-				       linfo->ca_cert);
+
+		if (linfo->ca_cert != NULL) {
+			lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
+					       linfo->ca_cert);
+			if (lerr != LDAP_SUCCESS) {
+				IDMAP_LOG(2, ("ldap_init_and_bind: setting CA "
+					  "certificate file failed : %s (%d)",
+					  ldap_err2string(lerr), lerr));
+				goto out;
+			}
+		}
+
+		lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
+				       &linfo->tls_reqcert);
 		if (lerr != LDAP_SUCCESS) {
-			IDMAP_LOG(2, ("ldap_init_and_bind: setting CA "
-				  "certificate file failed : %s (%d)",
+			IDMAP_LOG(2, ("ldap_init_and_bind: setting "
+				      "req CA cert failed : %s(%d)",
 				  ldap_err2string(lerr), lerr));
 			goto out;
 		}
@@ -1098,7 +1111,7 @@ out_err:
 static int
 umichldap_init(void)
 {
-	char *tssl, *canonicalize, *memberof;
+	char *tssl, *canonicalize, *memberof, *cert_req;
 	char missing_msg[128] = "";
 	char *server_in, *canon_name;
 
@@ -1119,6 +1132,24 @@ umichldap_init(void)
 	else
 		ldap_info.use_ssl = 0;
 	ldap_info.ca_cert = conf_get_str(LDAP_SECTION, "LDAP_CA_CERT");
+	cert_req = conf_get_str(LDAP_SECTION, "LDAP_tls_reqcert");
+	if (cert_req != NULL) {
+		if (strcasecmp(cert_req, "hard") == 0)
+			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_HARD;
+		else if (strcasecmp(cert_req, "demand") == 0)
+			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_DEMAND;
+		else if (strcasecmp(cert_req, "try") == 0)
+			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_TRY;
+		else if (strcasecmp(cert_req, "allow") == 0)
+			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_ALLOW;
+		else if (strcasecmp(cert_req, "never") == 0)
+			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_NEVER;
+		else {
+			IDMAP_LOG(0, ("umichldap_init: Invalid value(%s) for "
+				      "LDAP_tls_reqcert."));
+			goto fail;
+		}
+	}
 	/* vary the default port depending on whether they use SSL or not */
 	ldap_info.port = conf_get_num(LDAP_SECTION, "LDAP_port",
 				      (ldap_info.use_ssl) ?
@@ -1230,9 +1261,12 @@ umichldap_init(void)
 	if (ldap_info.group_tree == NULL || strlen(ldap_info.group_tree) == 0)
 		ldap_info.group_tree = ldap_info.base;
 
-	if (ldap_info.use_ssl && ldap_info.ca_cert == NULL) {
+	if (ldap_info.use_ssl &&
+	    ldap_info.tls_reqcert != LDAP_OPT_X_TLS_NEVER &&
+	    ldap_info.ca_cert == NULL) {
 		IDMAP_LOG(0, ("umichldap_init: You must specify LDAP_ca_cert "
-			  "with LDAP_use_ssl=yes"));
+			  "with LDAP_use_ssl=yes and "
+			  "LDAP_tls_reqcert not set to \"never\""));
 		goto fail;
 	}
 
@@ -1257,6 +1291,9 @@ umichldap_init(void)
 		  ldap_info.use_ssl ? "yes" : "no"));
 	IDMAP_LOG(1, ("umichldap_init: ca_cert : %s",
 		  ldap_info.ca_cert ? ldap_info.ca_cert : "<not-supplied>"));
+	IDMAP_LOG(1, ("umichldap_init: tls_reqcert : %s(%d)",
+		  cert_req ? cert_req : "<not-supplied>",
+		  ldap_info.tls_reqcert));
 	IDMAP_LOG(1, ("umichldap_init: use_memberof_for_groups : %s",
 		  ldap_info.memberof_for_groups ? "yes" : "no"));
 
-- 
2.21.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [nfs-utils:nfsidmap PATCH v2] Add LDAP_tls_reqcert tunable to idmapd.conf.
  2019-05-23 16:10   ` [nfs-utils:nfsidmap PATCH v2] " Srikrishan Malik
@ 2019-05-23 17:42     ` Steve Dickson
  0 siblings, 0 replies; 4+ messages in thread
From: Steve Dickson @ 2019-05-23 17:42 UTC (permalink / raw)
  To: Srikrishan Malik; +Cc: linux-nfs



On 5/23/19 12:10 PM, Srikrishan Malik wrote:
> This tunable will control the checks on server certs for a TLS session
> similar to ldap.conf(5).
> LDAP_ca_cert can be skipped if LDAP_tls_reqcert is set to "never"
> 
> Signed-off-by: Srikrishan Malik <srikrishanmalik@gmail.com>
> ---
>  support/nfsidmap/idmapd.conf   |  8 ++++-
>  support/nfsidmap/idmapd.conf.5 | 11 ++++++-
>  support/nfsidmap/umich_ldap.c  | 57 ++++++++++++++++++++++++++++------
>  3 files changed, 64 insertions(+), 12 deletions(-)
Thank you for the updates... Committed!!

steved.
> 
> diff --git a/support/nfsidmap/idmapd.conf b/support/nfsidmap/idmapd.conf
> index f07286c3..b673c7d7 100644
> --- a/support/nfsidmap/idmapd.conf
> +++ b/support/nfsidmap/idmapd.conf
> @@ -101,7 +101,13 @@ LDAP_base = dc=local,dc=domain,dc=edu
>  # Set to true to enable SSL - anything else is not enabled
>  #LDAP_use_ssl = false
>  
> -# You must specify a CA certificate location if you enable SSL
> +# Controls the LDAP server certificate validation behavior
> +# It can take the same values as ldap.conf(5)'s TLS_REQCERT
> +# tunable
> +#LDAP_tls_reqcert = "hard"
> +
> +# Location of CA certificate, mandatory if LDAP_tls_reqcert
> +# is not set to "never"
>  #LDAP_ca_cert = /etc/ldapca.cert
>  
>  # Objectclass mapping information
> diff --git a/support/nfsidmap/idmapd.conf.5 b/support/nfsidmap/idmapd.conf.5
> index 9a6457e2..61fbb613 100644
> --- a/support/nfsidmap/idmapd.conf.5
> +++ b/support/nfsidmap/idmapd.conf.5
> @@ -195,7 +195,16 @@ Set to "true" to enable SSL communication with the LDAP server.
>  Location of a trusted CA certificate used when SSL is enabled
>  (Required if
>  .B LDAP_use_ssl
> -is true)
> +is true and
> +.B LDAP_tls_reqcert
> +is not set to never)
> +.TP
> +.B LDAP_tls_reqcert
> +Controls the LDAP server certificate validation behavior.
> +It can take the same values as ldap.conf(5)'s
> +.B TLS_REQCERT
> +tunable.
> +(Default: "hard")
>  .TP
>  .B NFSv4_person_objectclass
>  The object class name for people accounts in your local LDAP schema
> diff --git a/support/nfsidmap/umich_ldap.c b/support/nfsidmap/umich_ldap.c
> index 10d1d979..b7445c37 100644
> --- a/support/nfsidmap/umich_ldap.c
> +++ b/support/nfsidmap/umich_ldap.c
> @@ -100,6 +100,7 @@ struct umich_ldap_info {
>  	char *passwd;		/* Password to use when binding to directory */
>  	int use_ssl;		/* SSL flag */
>  	char *ca_cert;		/* File location of the ca_cert */
> +	int tls_reqcert;	/* req and validate server cert */
>  	int memberof_for_groups;/* Use 'memberof' attribute when
>  				   looking up user groups */
>  	int ldap_timeout;	/* Timeout in seconds for searches
> @@ -118,6 +119,7 @@ static struct umich_ldap_info ldap_info = {
>  	.passwd = NULL,
>  	.use_ssl = 0,
>  	.ca_cert = NULL,
> +	.tls_reqcert = LDAP_OPT_X_TLS_HARD,
>  	.memberof_for_groups = 0,
>  	.ldap_timeout = DEFAULT_UMICH_SEARCH_TIMEOUT,
>  };
> @@ -153,7 +155,7 @@ ldap_init_and_bind(LDAP **pld,
>  	LDAPAPIInfo apiinfo = {.ldapai_info_version = LDAP_API_INFO_VERSION};
>  
>  	snprintf(server_url, sizeof(server_url), "%s://%s:%d",
> -		 (linfo->use_ssl && linfo->ca_cert) ? "ldaps" : "ldap",
> +		 (linfo->use_ssl) ? "ldaps" : "ldap",
>  		 linfo->server, linfo->port);
>  
>  	/*
> @@ -208,9 +210,8 @@ ldap_init_and_bind(LDAP **pld,
>  	}
>  
>  	/* Set option to to use SSL/TLS if requested */
> -	if (linfo->use_ssl && linfo->ca_cert) {
> +	if (linfo->use_ssl) {
>  		int tls_type = LDAP_OPT_X_TLS_HARD;
> -
>  		lerr = ldap_set_option(ld, LDAP_OPT_X_TLS, &tls_type);
>  		if (lerr != LDAP_SUCCESS) {
>  			IDMAP_LOG(2, ("ldap_init_and_bind: setting SSL "
> @@ -218,11 +219,23 @@ ldap_init_and_bind(LDAP **pld,
>  				  ldap_err2string(lerr), lerr));
>  			goto out;
>  		}
> -		lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
> -				       linfo->ca_cert);
> +
> +		if (linfo->ca_cert != NULL) {
> +			lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
> +					       linfo->ca_cert);
> +			if (lerr != LDAP_SUCCESS) {
> +				IDMAP_LOG(2, ("ldap_init_and_bind: setting CA "
> +					  "certificate file failed : %s (%d)",
> +					  ldap_err2string(lerr), lerr));
> +				goto out;
> +			}
> +		}
> +
> +		lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
> +				       &linfo->tls_reqcert);
>  		if (lerr != LDAP_SUCCESS) {
> -			IDMAP_LOG(2, ("ldap_init_and_bind: setting CA "
> -				  "certificate file failed : %s (%d)",
> +			IDMAP_LOG(2, ("ldap_init_and_bind: setting "
> +				      "req CA cert failed : %s(%d)",
>  				  ldap_err2string(lerr), lerr));
>  			goto out;
>  		}
> @@ -1098,7 +1111,7 @@ out_err:
>  static int
>  umichldap_init(void)
>  {
> -	char *tssl, *canonicalize, *memberof;
> +	char *tssl, *canonicalize, *memberof, *cert_req;
>  	char missing_msg[128] = "";
>  	char *server_in, *canon_name;
>  
> @@ -1119,6 +1132,24 @@ umichldap_init(void)
>  	else
>  		ldap_info.use_ssl = 0;
>  	ldap_info.ca_cert = conf_get_str(LDAP_SECTION, "LDAP_CA_CERT");
> +	cert_req = conf_get_str(LDAP_SECTION, "LDAP_tls_reqcert");
> +	if (cert_req != NULL) {
> +		if (strcasecmp(cert_req, "hard") == 0)
> +			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_HARD;
> +		else if (strcasecmp(cert_req, "demand") == 0)
> +			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_DEMAND;
> +		else if (strcasecmp(cert_req, "try") == 0)
> +			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_TRY;
> +		else if (strcasecmp(cert_req, "allow") == 0)
> +			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_ALLOW;
> +		else if (strcasecmp(cert_req, "never") == 0)
> +			ldap_info.tls_reqcert = LDAP_OPT_X_TLS_NEVER;
> +		else {
> +			IDMAP_LOG(0, ("umichldap_init: Invalid value(%s) for "
> +				      "LDAP_tls_reqcert."));
> +			goto fail;
> +		}
> +	}
>  	/* vary the default port depending on whether they use SSL or not */
>  	ldap_info.port = conf_get_num(LDAP_SECTION, "LDAP_port",
>  				      (ldap_info.use_ssl) ?
> @@ -1230,9 +1261,12 @@ umichldap_init(void)
>  	if (ldap_info.group_tree == NULL || strlen(ldap_info.group_tree) == 0)
>  		ldap_info.group_tree = ldap_info.base;
>  
> -	if (ldap_info.use_ssl && ldap_info.ca_cert == NULL) {
> +	if (ldap_info.use_ssl &&
> +	    ldap_info.tls_reqcert != LDAP_OPT_X_TLS_NEVER &&
> +	    ldap_info.ca_cert == NULL) {
>  		IDMAP_LOG(0, ("umichldap_init: You must specify LDAP_ca_cert "
> -			  "with LDAP_use_ssl=yes"));
> +			  "with LDAP_use_ssl=yes and "
> +			  "LDAP_tls_reqcert not set to \"never\""));
>  		goto fail;
>  	}
>  
> @@ -1257,6 +1291,9 @@ umichldap_init(void)
>  		  ldap_info.use_ssl ? "yes" : "no"));
>  	IDMAP_LOG(1, ("umichldap_init: ca_cert : %s",
>  		  ldap_info.ca_cert ? ldap_info.ca_cert : "<not-supplied>"));
> +	IDMAP_LOG(1, ("umichldap_init: tls_reqcert : %s(%d)",
> +		  cert_req ? cert_req : "<not-supplied>",
> +		  ldap_info.tls_reqcert));
>  	IDMAP_LOG(1, ("umichldap_init: use_memberof_for_groups : %s",
>  		  ldap_info.memberof_for_groups ? "yes" : "no"));
>  
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-22 12:05 [nfs-utils:nfsidmap PATCH] Add LDAP_tls_reqcert tunable to idmapd.conf Srikrishan Malik
2019-05-23 13:54 ` Steve Dickson
2019-05-23 16:10   ` [nfs-utils:nfsidmap PATCH v2] " Srikrishan Malik
2019-05-23 17:42     ` Steve Dickson

Linux-NFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-nfs/0 linux-nfs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-nfs linux-nfs/ https://lore.kernel.org/linux-nfs \
		linux-nfs@vger.kernel.org linux-nfs@archiver.kernel.org
	public-inbox-index linux-nfs


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-nfs


AGPL code for this site: git clone https://public-inbox.org/ public-inbox