| |
@@ -11,6 +11,7 @@
|
| |
import os
|
| |
from lib389.config import Config, Encryption, RSA
|
| |
from lib389.nss_ssl import NssSsl
|
| |
+ from lib389.cli_base import _warn
|
| |
|
| |
|
| |
Props = namedtuple('Props', ['cls', 'attr', 'help', 'values'])
|
| |
@@ -203,6 +204,14 @@
|
| |
print(*lst, sep='\n')
|
| |
|
| |
|
| |
+ def security_disable_plaintext_port(inst, basedn, log, args, warn=True):
|
| |
+ if warn and args.json is False:
|
| |
+ _warn(True, msg="Disabling plaintext ldap port - you must have ldaps configured")
|
| |
+ inst.config.disable_plaintext_port()
|
| |
+ log.info("Plaintext port disabled - please restart your instance to take effect")
|
| |
+ log.info("To undo this change run the subcommand - 'dsconf <instance> config replace nsslapd-port=<port number>'")
|
| |
+
|
| |
+
|
| |
def cert_add(inst, basedn, log, args):
|
| |
"""Add server certificate
|
| |
"""
|
| |
@@ -367,6 +376,10 @@
|
| |
'Turn off security functionality. The rest of the configuration will be left untouched.'))
|
| |
security_disable_p.set_defaults(func=security_disable)
|
| |
|
| |
+ security_disable_plain_parser = security_sub.add_parser('disable_plain_port',
|
| |
+ help="Disables the plain text LDAP port, allowing only LDAPS to function")
|
| |
+ security_disable_plain_parser.set_defaults(func=security_disable_plaintext_port)
|
| |
+
|
| |
# Server certificate management
|
| |
certs = security_sub.add_parser('certificate', help='Manage TLS certificates')
|
| |
certs_sub = certs.add_subparsers(help='certificate')
|
| |
Bug Description: As plaintext protocols have shown they are
unable to be effectively secured, we should have the choice to
be able to run the server only as LDAPS for high assurance
environments.
Fix Description: Add a test to assert we can move to ldaps only
and back to ldap/ldaps. Add a command to help make this easier for
admins to find and discover.
https://pagure.io/389-ds-base/issue/50859
Author: William Brown william@blackhats.net.au
Review by: ???