From: Srikrishan Malik <srikrishanmalik@gmail.com>
To: unlisted-recipients:; (no To-header on input)
Cc: linux-nfs@vger.kernel.org, Srikrishan Malik <srikrishanmalik@gmail.com>
Subject: [nfs-utils:nfsidmap PATCH v2] Add LDAP_tls_reqcert tunable to idmapd.conf.
Date: Thu, 23 May 2019 09:10:14 -0700 [thread overview]
Message-ID: <20190523161014.60182-1-srikrishanmalik@gmail.com> (raw)
In-Reply-To: <0a9cbe6a-3c24-08d5-7383-f32bd8be4e09@RedHat.com>
This tunable will control the checks on server certs for a TLS session
similar to ldap.conf(5).
LDAP_ca_cert can be skipped if LDAP_tls_reqcert is set to "never"
Signed-off-by: Srikrishan Malik <srikrishanmalik@gmail.com>
---
support/nfsidmap/idmapd.conf | 8 ++++-
support/nfsidmap/idmapd.conf.5 | 11 ++++++-
support/nfsidmap/umich_ldap.c | 57 ++++++++++++++++++++++++++++------
3 files changed, 64 insertions(+), 12 deletions(-)
diff --git a/support/nfsidmap/idmapd.conf b/support/nfsidmap/idmapd.conf
index f07286c3..b673c7d7 100644
--- a/support/nfsidmap/idmapd.conf
+++ b/support/nfsidmap/idmapd.conf
@@ -101,7 +101,13 @@ LDAP_base = dc=local,dc=domain,dc=edu
# Set to true to enable SSL - anything else is not enabled
#LDAP_use_ssl = false
-# You must specify a CA certificate location if you enable SSL
+# Controls the LDAP server certificate validation behavior
+# It can take the same values as ldap.conf(5)'s TLS_REQCERT
+# tunable
+#LDAP_tls_reqcert = "hard"
+
+# Location of CA certificate, mandatory if LDAP_tls_reqcert
+# is not set to "never"
#LDAP_ca_cert = /etc/ldapca.cert
# Objectclass mapping information
diff --git a/support/nfsidmap/idmapd.conf.5 b/support/nfsidmap/idmapd.conf.5
index 9a6457e2..61fbb613 100644
--- a/support/nfsidmap/idmapd.conf.5
+++ b/support/nfsidmap/idmapd.conf.5
@@ -195,7 +195,16 @@ Set to "true" to enable SSL communication with the LDAP server.
Location of a trusted CA certificate used when SSL is enabled
(Required if
.B LDAP_use_ssl
-is true)
+is true and
+.B LDAP_tls_reqcert
+is not set to never)
+.TP
+.B LDAP_tls_reqcert
+Controls the LDAP server certificate validation behavior.
+It can take the same values as ldap.conf(5)'s
+.B TLS_REQCERT
+tunable.
+(Default: "hard")
.TP
.B NFSv4_person_objectclass
The object class name for people accounts in your local LDAP schema
diff --git a/support/nfsidmap/umich_ldap.c b/support/nfsidmap/umich_ldap.c
index 10d1d979..b7445c37 100644
--- a/support/nfsidmap/umich_ldap.c
+++ b/support/nfsidmap/umich_ldap.c
@@ -100,6 +100,7 @@ struct umich_ldap_info {
char *passwd; /* Password to use when binding to directory */
int use_ssl; /* SSL flag */
char *ca_cert; /* File location of the ca_cert */
+ int tls_reqcert; /* req and validate server cert */
int memberof_for_groups;/* Use 'memberof' attribute when
looking up user groups */
int ldap_timeout; /* Timeout in seconds for searches
@@ -118,6 +119,7 @@ static struct umich_ldap_info ldap_info = {
.passwd = NULL,
.use_ssl = 0,
.ca_cert = NULL,
+ .tls_reqcert = LDAP_OPT_X_TLS_HARD,
.memberof_for_groups = 0,
.ldap_timeout = DEFAULT_UMICH_SEARCH_TIMEOUT,
};
@@ -153,7 +155,7 @@ ldap_init_and_bind(LDAP **pld,
LDAPAPIInfo apiinfo = {.ldapai_info_version = LDAP_API_INFO_VERSION};
snprintf(server_url, sizeof(server_url), "%s://%s:%d",
- (linfo->use_ssl && linfo->ca_cert) ? "ldaps" : "ldap",
+ (linfo->use_ssl) ? "ldaps" : "ldap",
linfo->server, linfo->port);
/*
@@ -208,9 +210,8 @@ ldap_init_and_bind(LDAP **pld,
}
/* Set option to to use SSL/TLS if requested */
- if (linfo->use_ssl && linfo->ca_cert) {
+ if (linfo->use_ssl) {
int tls_type = LDAP_OPT_X_TLS_HARD;
-
lerr = ldap_set_option(ld, LDAP_OPT_X_TLS, &tls_type);
if (lerr != LDAP_SUCCESS) {
IDMAP_LOG(2, ("ldap_init_and_bind: setting SSL "
@@ -218,11 +219,23 @@ ldap_init_and_bind(LDAP **pld,
ldap_err2string(lerr), lerr));
goto out;
}
- lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
- linfo->ca_cert);
+
+ if (linfo->ca_cert != NULL) {
+ lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
+ linfo->ca_cert);
+ if (lerr != LDAP_SUCCESS) {
+ IDMAP_LOG(2, ("ldap_init_and_bind: setting CA "
+ "certificate file failed : %s (%d)",
+ ldap_err2string(lerr), lerr));
+ goto out;
+ }
+ }
+
+ lerr = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
+ &linfo->tls_reqcert);
if (lerr != LDAP_SUCCESS) {
- IDMAP_LOG(2, ("ldap_init_and_bind: setting CA "
- "certificate file failed : %s (%d)",
+ IDMAP_LOG(2, ("ldap_init_and_bind: setting "
+ "req CA cert failed : %s(%d)",
ldap_err2string(lerr), lerr));
goto out;
}
@@ -1098,7 +1111,7 @@ out_err:
static int
umichldap_init(void)
{
- char *tssl, *canonicalize, *memberof;
+ char *tssl, *canonicalize, *memberof, *cert_req;
char missing_msg[128] = "";
char *server_in, *canon_name;
@@ -1119,6 +1132,24 @@ umichldap_init(void)
else
ldap_info.use_ssl = 0;
ldap_info.ca_cert = conf_get_str(LDAP_SECTION, "LDAP_CA_CERT");
+ cert_req = conf_get_str(LDAP_SECTION, "LDAP_tls_reqcert");
+ if (cert_req != NULL) {
+ if (strcasecmp(cert_req, "hard") == 0)
+ ldap_info.tls_reqcert = LDAP_OPT_X_TLS_HARD;
+ else if (strcasecmp(cert_req, "demand") == 0)
+ ldap_info.tls_reqcert = LDAP_OPT_X_TLS_DEMAND;
+ else if (strcasecmp(cert_req, "try") == 0)
+ ldap_info.tls_reqcert = LDAP_OPT_X_TLS_TRY;
+ else if (strcasecmp(cert_req, "allow") == 0)
+ ldap_info.tls_reqcert = LDAP_OPT_X_TLS_ALLOW;
+ else if (strcasecmp(cert_req, "never") == 0)
+ ldap_info.tls_reqcert = LDAP_OPT_X_TLS_NEVER;
+ else {
+ IDMAP_LOG(0, ("umichldap_init: Invalid value(%s) for "
+ "LDAP_tls_reqcert."));
+ goto fail;
+ }
+ }
/* vary the default port depending on whether they use SSL or not */
ldap_info.port = conf_get_num(LDAP_SECTION, "LDAP_port",
(ldap_info.use_ssl) ?
@@ -1230,9 +1261,12 @@ umichldap_init(void)
if (ldap_info.group_tree == NULL || strlen(ldap_info.group_tree) == 0)
ldap_info.group_tree = ldap_info.base;
- if (ldap_info.use_ssl && ldap_info.ca_cert == NULL) {
+ if (ldap_info.use_ssl &&
+ ldap_info.tls_reqcert != LDAP_OPT_X_TLS_NEVER &&
+ ldap_info.ca_cert == NULL) {
IDMAP_LOG(0, ("umichldap_init: You must specify LDAP_ca_cert "
- "with LDAP_use_ssl=yes"));
+ "with LDAP_use_ssl=yes and "
+ "LDAP_tls_reqcert not set to \"never\""));
goto fail;
}
@@ -1257,6 +1291,9 @@ umichldap_init(void)
ldap_info.use_ssl ? "yes" : "no"));
IDMAP_LOG(1, ("umichldap_init: ca_cert : %s",
ldap_info.ca_cert ? ldap_info.ca_cert : "<not-supplied>"));
+ IDMAP_LOG(1, ("umichldap_init: tls_reqcert : %s(%d)",
+ cert_req ? cert_req : "<not-supplied>",
+ ldap_info.tls_reqcert));
IDMAP_LOG(1, ("umichldap_init: use_memberof_for_groups : %s",
ldap_info.memberof_for_groups ? "yes" : "no"));
--
2.21.0
next prev parent reply other threads:[~2019-05-23 16:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-22 12:05 [nfs-utils:nfsidmap PATCH] Add LDAP_tls_reqcert tunable to idmapd.conf Srikrishan Malik
2019-05-23 13:54 ` Steve Dickson
2019-05-23 16:10 ` Srikrishan Malik [this message]
2019-05-23 17:42 ` [nfs-utils:nfsidmap PATCH v2] " Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190523161014.60182-1-srikrishanmalik@gmail.com \
--to=srikrishanmalik@gmail.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.