389-ds-base

Clone
Source Code
GIT

#50870 Ticket 50859 - support running only with ldaps socket
Closed 3 years ago by spichugi. Opened 4 years ago by firstyear.
firstyear/389-ds-base 50859-ldaps-only  into  master

file added
+46 
@@ -0,0 +1,46 @@ 
 

+ # --- BEGIN COPYRIGHT BLOCK ---
 

+ # Copyright (C) 2020 William Brown <william@blackhats.net.au
 

+ # All rights reserved.
 

+ #
 

+ # License: GPL (version 3 or any later version).
 

+ # See LICENSE for details.
 

+ # --- END COPYRIGHT BLOCK ---
 

+ #
 

+ import pytest
 

+ import ldap
 

+ from lib389.topologies import topology_st
 

+ from lib389.utils import socket_check_open
 

+ 

+ pytestmark = pytest.mark.tier1
 

+ 

+ def test_tls_ldaps_only(topology_st):
 

+     """Test that the server can run with ldaps only.
 

+ 

+     :id: 812d806b-9368-4534-a291-cbc60ac92a23
 

+     :steps:
 

+         1. Enable TLS
 

+         2. Set the server to ldaps only and restart
 

+         3. Set the server to accept both and restart
 

+     :expectedresults:
 

+         1. TlS is setup
 

+         2. The server only works on ldaps
 

+         3. The server accepts both.
 

+     """
 

+     standalone = topology_st.standalone
 

+     # Enable TLS
 

+     standalone.enable_tls()
 

+     # Remember the existing port for later.
 

+     plain_port = standalone.config.get_attr_val_utf8('nsslapd-port')
 

+     tls_port = standalone.config.get_attr_val_utf8('nsslapd-securePort')
 

+     # Disable the plaintext port
 

+     standalone.config.disable_plaintext_port()
 

+     standalone.restart()
 

+     # Check we only have the tls port
 

+     nport = standalone.config.get_attr_val_utf8('nsslapd-port')
 

+     assert(nport == '0');
 

+     # Setup the plain again.
 

+     standalone.config.enable_plaintext_port(plain_port)
 

+     standalone.restart()
 

+     nport = standalone.config.get_attr_val_utf8('nsslapd-port')
 

+     assert(nport == plain_port);
 

+

file modified
+13 
@@ -11,6 +11,7 @@ 
 

  import os
 

  from lib389.config import Config, Encryption, RSA
 

  from lib389.nss_ssl import NssSsl
 

+ from lib389.cli_base import _warn
 

  

  

  Props = namedtuple('Props', ['cls', 'attr', 'help', 'values'])
 
@@ -203,6 +204,14 @@ 
 

              print(*lst, sep='\n')
 

  

  

+ def security_disable_plaintext_port(inst, basedn, log, args, warn=True):
 

+     if warn and args.json is False:
 

+         _warn(True, msg="Disabling plaintext ldap port - you must have ldaps configured")
 

+     inst.config.disable_plaintext_port()
 

+     log.info("Plaintext port disabled - please restart your instance to take effect")
 

+     log.info("To undo this change run the subcommand - 'dsconf <instance> config replace nsslapd-port=<port number>'")
 

+ 

+ 

  def cert_add(inst, basedn, log, args):
 

      """Add server certificate
 

      """
 
@@ -367,6 +376,10 @@ 
 

          'Turn off security functionality. The rest of the configuration will be left untouched.'))
 

      security_disable_p.set_defaults(func=security_disable)
 

  

+     security_disable_plain_parser = security_sub.add_parser('disable_plain_port',
 

+         help="Disables the plain text LDAP port, allowing only LDAPS to function")
 

+     security_disable_plain_parser.set_defaults(func=security_disable_plaintext_port)
 

+ 

      # Server certificate management
 

      certs = security_sub.add_parser('certificate', help='Manage TLS certificates')
 

      certs_sub = certs.add_subparsers(help='certificate')

file modified
+13 
@@ -213,6 +213,19 @@ 
 

              report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid)
 

              yield report
 

  

+     def disable_plaintext_port(self):
 

+         """
 

+         Configure the server to not-provide the plaintext port.
 

+         """
 

+         self.set('nsslapd-port', '0')
 

+ 

+     def enable_plaintext_port(self, port):
 

+         """
 

+         Configure the server to provide the plaintext port on the specified port number.
 

+         """
 

+         self.set('nsslapd-port', port)
 

+ 

+ 

  class Encryption(DSLdapObject):
 

      """
 

          Manage "cn=encryption,cn=config" tree, including:

Bug Description: As plaintext protocols have shown they are
unable to be effectively secured, we should have the choice to
be able to run the server only as LDAPS for high assurance
environments.

Fix Description: Add a test to assert we can move to ldaps only
and back to ldap/ldaps. Add a command to help make this easier for
admins to find and discover.

https://pagure.io/389-ds-base/issue/50859

Author: William Brown william@blackhats.net.au

Review by: ???

This comment should be "...server to provide...". Otherwise ack

Actually, I might make the help/warning also say "to undo this, run command X" as well. Thanks for the fast review!

rebased onto ccc03bfd179c038da1c51d553fe501780ae1e49a
4 years ago

Hey @mreynolds It's only a minor change, but I thought I'd let you check again, I added the "undo command" into the success message.

Thanks, ack!

rebased onto 5afacd3
4 years ago

Pull-Request has been merged by firstyear
4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3923

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi
3 years ago
Metadata
None
No Tags
Changes Summary 3
+46
file added
dirsrvtests/tests/suites/tls/tls_ldaps_only_test.py
+13 -0
file changed
src/lib389/lib389/cli_conf/security.py
+13 -0
file changed
src/lib389/lib389/config.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.