CP-309972: Configurable between ldap and ldaps during join domain (#6934)

Author: liulinC

ocaml/tests/test_extauth_plugin_ADwinbind.ml

@@ -18,26 +18,25 @@ module ExtractOuConfig = Generic.MakeStateless (struct
   module Io = struct
     type input_t = (string * string) list
 
-    type output_t = (string * string) list * string list
+    type output_t = string option * string list
 
     let string_of_input_t = Test_printers.(assoc_list string string)
 
-    let string_of_output_t =
-      Test_printers.(pair (assoc_list string string) (list string))
+    let string_of_output_t = Test_printers.(pair (option string) (list string))
   end
 
   let transform x = Extauth_plugin_ADwinbind.extract_ou_config ~config_params:x
 
   let tests =
     `QuickAndAutoDocumented
       [
-        ([("auth-type", "AD"); ("service-name", "conappada.local")], ([], []))
+        ([("auth-type", "AD"); ("service-name", "conappada.local")], (None, []))
       ; ( [
             ("auth-type", "AD")
           ; ("service-name", "conappada.local")
           ; ("ou", "TOU")
           ]
-        , ([("ou", "TOU")], ["createcomputer=TOU"])
+        , (Some "TOU", ["createcomputer=TOU"])
         )
       ]
 end)

ocaml/xapi/extauth_plugin_ADwinbind.ml

@@ -89,11 +89,14 @@ let err_msg_to_tag_map =
 
 type domain_info = {
     service_name: string
+  ; user: string
   ; workgroup: string option
         (* For upgrade case, the legacy db does not contain workgroup *)
   ; netbios_name: string option
         (* Persist netbios_name to support hostname change *)
+  ; ldaps: bool (* Use ldaps instead of ldap *)
   ; machine_pwd_last_change_time: float option
+  ; ou: string option
 }
 
 let generic_error msg =
@@ -196,16 +199,25 @@ let get_domain_info_from_db () =
   let service_name =
     Db.Host.get_external_auth_service_name ~__context ~self:host
   in
-  let workgroup, netbios_name, machine_pwd_last_change_time =
-    Db.Host.get_external_auth_configuration ~__context ~self:host
-    |> fun config ->
-    ( List.assoc_opt "workgroup" config
-    , List.assoc_opt "netbios_name" config
-    , List.assoc_opt "machine_pwd_last_change_time" config
-      |> Option.map (fun s -> float_of_string s)
-    )
+  let config = Db.Host.get_external_auth_configuration ~__context ~self:host in
+  let user = List.assoc "user" config in
+  let workgroup = List.assoc_opt "workgroup" config in
+  let netbios_name = List.assoc_opt "netbios_name" config in
+  let machine_pwd_last_change_time =
+    List.assoc_opt "machine_pwd_last_change_time" config
+    |> Option.map (fun s -> float_of_string s)
   in
-  {service_name; workgroup; netbios_name; machine_pwd_last_change_time}
+  let ldaps = Helpers.ldaps_enabled_in_config ~config in
+  let ou = List.assoc_opt "ou" config in
+  {
+    service_name
+  ; user
+  ; workgroup
+  ; netbios_name
+  ; ldaps
+  ; machine_pwd_last_change_time
+  ; ou
+  }
 
 let update_extauth_configuration ~__context ~k ~v =
   let self = Helpers.get_localhost ~__context in
@@ -778,16 +790,29 @@ let query_domain_workgroup ~domain =
     workgroup_from_server kdc |> Result.get_ok
   with _ -> raise (Auth_service_error (E_LOOKUP, err_msg))
 
-let config_winbind_daemon ~workgroup ~netbios_name ~domain =
+let config_winbind_daemon domain_info =
   let smb_config = "/etc/samba/smb.conf" in
   let extra_conf = "/etc/samba/smb.extra.conf" in
+  (* Will change to following config after trusted certs feature
+  tls cafile = /etc/trusted-certs/ca-bundle-[ldaps|general].pem
+  *)
+  let certs_dir = "/etc/stunnel/certs" in
   let string_of_bool = function true -> "yes" | false -> "no" in
 
   let scan_trusted_domains =
     string_of_bool !Xapi_globs.winbind_scan_trusted_domains
   in
-  ( match (workgroup, netbios_name, domain) with
-    | Some wkgroup, Some netbios, Some dom ->
+
+  ( match domain_info with
+    | Some
+        {
+          service_name= dom
+        ; workgroup= Some wkgroup
+        ; netbios_name= Some netbios
+        ; ldaps
+        ; _
+        } ->
+        let ldaps_conf = match ldaps with true -> "ldaps" | _ -> "seal" in
         [
           Printf.sprintf "# This file is managed by xapi, update %s instead"
             extra_conf
@@ -802,6 +827,10 @@ let config_winbind_daemon ~workgroup ~netbios_name ~domain =
         ; "winbind refresh tickets = yes"
         ; "winbind enum groups = no"
         ; "winbind enum users = no"
+        ; Printf.sprintf "client ldap sasl wrapping= %s" ldaps_conf
+        ; "tls trust system cas = yes"
+        ; "tls verify peer = ca_and_name_if_available"
+        ; Printf.sprintf "tls ca directories = %s" certs_dir
         ; Printf.sprintf "winbind scan trusted domains = %s"
             scan_trusted_domains
         ; "winbind use krb5 enterprise principals = yes"
@@ -832,7 +861,7 @@ let clear_winbind_config () =
   if !Xapi_globs.winbind_keep_configuration then
     ()
   else
-    config_winbind_daemon ~workgroup:None ~netbios_name:None ~domain:None
+    config_winbind_daemon None
 
 let from_config ~name ~err_msg ~config_params =
   match List.assoc_opt name config_params with
@@ -865,26 +894,44 @@ let assert_domain_equal_service_name ~service_name ~config_params =
 let extract_ou_config ~config_params =
   try
     let ou = from_config ~name:"ou" ~err_msg:"" ~config_params in
-    ([("ou", ou)], [Printf.sprintf "createcomputer=%s" ou])
-  with Auth_service_error _ -> ([], [])
+    (Some ou, [Printf.sprintf "createcomputer=%s" ou])
+  with Auth_service_error _ -> (None, [])
 
-let persist_extauth_config ~domain ~user ~ou_conf ~workgroup ~netbios_name
-    ~machine_pwd_last_change_time =
+let persist_extauth_config ~domain_info =
   let value =
-    match
-      (domain, user, workgroup, netbios_name, machine_pwd_last_change_time)
-    with
-    | Some dom, Some u, Some wkg, Some netbios, Some pwd_time ->
+    match domain_info with
+    | None ->
+        []
+    | Some
+        {
+          service_name
+        ; user
+        ; workgroup
+        ; netbios_name
+        ; machine_pwd_last_change_time
+        ; ldaps
+        ; ou
+        } -> (
         [
-          ("domain", dom)
-        ; ("user", u)
-        ; ("workgroup", wkg)
-        ; ("netbios_name", netbios)
-        ; ("machine_pwd_last_change_time", pwd_time)
+          ("domain", service_name)
+        ; ("user", user)
+        ; ("ldaps", string_of_bool ldaps)
         ]
-        @ ou_conf
-    | _ ->
-        []
+        @ (match workgroup with Some w -> [("workgroup", w)] | None -> [])
+        @ ( match netbios_name with
+          | Some n ->
+              [("netbios_name", n)]
+          | None ->
+              []
+          )
+        @ (match ou with Some o -> [("ou", o)] | None -> [])
+        @
+        match machine_pwd_last_change_time with
+        | Some t ->
+            [("machine_pwd_last_change_time", string_of_float t)]
+        | None ->
+            []
+      )
   in
   Server_helpers.exec_with_new_task "update external_auth_configuration"
   @@ fun __context ->
@@ -970,28 +1017,34 @@ module Winbind = struct
   let configure ~__context =
     (* Refresh winbind configuration to handle upgrade from PBIS
      * The winbind configuration needs to be refreshed before start winbind daemon *)
-    let {service_name; workgroup; netbios_name; _} =
-      get_domain_info_from_db ()
-    in
+    let domain_info = get_domain_info_from_db () in
     let netbios_name =
-      match netbios_name with
+      match domain_info.netbios_name with
       | None ->
           Migrate_from_pbis.migrate_netbios_name ~__context
       | Some name ->
           name
     in
     let workgroup =
-      match workgroup with
+      match domain_info.workgroup with
       | None ->
-          let workgroup = query_domain_workgroup ~domain:service_name in
+          let workgroup =
+            query_domain_workgroup ~domain:domain_info.service_name
+          in
           (* Persist the workgroup to avoid lookup again on next startup *)
           update_workgroup ~__context ~workgroup ;
           workgroup
       | Some workgroup ->
           workgroup
     in
-    config_winbind_daemon ~domain:(Some service_name)
-      ~workgroup:(Some workgroup) ~netbios_name:(Some netbios_name)
+    let domain_info =
+      {
+        domain_info with
+        netbios_name= Some netbios_name
+      ; workgroup= Some workgroup
+      }
+    in
+    config_winbind_daemon (Some domain_info)
 
   let init_service ~__context =
     if is_ad_enabled ~__context then (
@@ -1527,17 +1580,32 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
 
     assert_hostname_valid ~hostname:netbios_name ;
 
-    let {service_name; _} = get_domain_info_from_db () in
+    let service_name =
+      Helpers.get_localhost ~__context |> fun self ->
+      Db.Host.get_external_auth_service_name ~__context ~self
+    in
     assert_domain_equal_service_name ~service_name ~config_params ;
 
     let workgroup =
       (* Query new domain workgroup during join domain *)
       query_domain_workgroup ~domain:service_name
     in
-    config_winbind_daemon ~domain:(Some service_name)
-      ~workgroup:(Some workgroup) ~netbios_name:(Some netbios_name) ;
+    let ldaps = Helpers.ldaps_enabled_in_config ~config:config_params in
+
+    let ou, ou_param = extract_ou_config ~config_params in
+    let domain_info =
+      {
+        service_name
+      ; user
+      ; workgroup= Some workgroup
+      ; netbios_name= Some netbios_name
+      ; machine_pwd_last_change_time= Some (Unix.time ())
+      ; ldaps
+      ; ou
+      }
+    in
 
-    let ou_conf, ou_param = extract_ou_config ~config_params in
+    config_winbind_daemon (Some domain_info) ;
 
     let args =
       [
@@ -1563,11 +1631,7 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
       (* Need to restart to refresh cache *)
       Winbind.restart ~timeout:5. ~wait_until_success:true ;
       Winbind.check_ready_to_serve ~timeout:300. ;
-      let machine_pwd_last_change_time = Unix.time () |> string_of_float in
-      persist_extauth_config ~domain:(Some service_name) ~user:(Some user)
-        ~ou_conf ~workgroup:(Some workgroup)
-        ~machine_pwd_last_change_time:(Some machine_pwd_last_change_time)
-        ~netbios_name:(Some netbios_name) ;
+      persist_extauth_config ~domain_info:(Some domain_info) ;
       (* Trigger right now *)
       RotateMachinePassword.trigger_rotate ~start:0. ;
       ConfigHosts.join ~domain:service_name ~name:netbios_name ;
@@ -1588,7 +1652,7 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
     | Xapi_systemctl.Systemctl_fail _ ->
         let msg = Printf.sprintf "Failed to start %s" Winbind.name in
         error "Start daemon error: %s" msg ;
-        config_winbind_daemon ~domain:None ~workgroup:None ~netbios_name:None ;
+        config_winbind_daemon None ;
         ConfigHosts.leave ~domain:service_name ~name:netbios_name ;
         raise (Auth_service_error (E_GENERIC, msg))
     | e ->
@@ -1623,8 +1687,7 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
     ) ;
 
     (* Clean extauth config *)
-    persist_extauth_config ~domain:None ~user:None ~ou_conf:[] ~workgroup:None
-      ~machine_pwd_last_change_time:None ~netbios_name:None ;
+    persist_extauth_config ~domain_info:None ;
     RotateMachinePassword.stop_rotate () ;
     (* The caller disable external auth even disable machine account failed,
      * We run clear_machine_account after some necessary resources get cleared *)

ocaml/xapi/extauth_plugin_ADwinbind.mli

@@ -34,7 +34,7 @@ module AuthADWinbind : sig val methods : Auth_signature.t end
 
 (* Expose function to make compiler happy for unittest *)
 val extract_ou_config :
-  config_params:(string * string) list -> (string * string) list * string list
+  config_params:(string * string) list -> string option * string list
 
 val domainify_uname : domain:string -> string -> string
 

ocaml/xapi/helpers.ml

@@ -2466,3 +2466,11 @@ module AuthenticationCache = struct
           None
   end
 end
+
+let ldaps_enabled_in_config ~config =
+  match List.assoc_opt "ldaps" config with
+  (* Default to false, true iff v = true (case-insensitive) *)
+  | Some v when bool_of_string_opt (String.lowercase_ascii v) = Some true ->
+      true
+  | _ ->
+      false