Skip to content

Commit b6a72e4

Browse files
authored
2 parents 9913e47 + fce3436 commit b6a72e4

31 files changed

Lines changed: 1002 additions & 264 deletions

doc/content/design/external-auth-ldaps.md

Lines changed: 19 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -91,9 +91,11 @@ Given `ldaps` default to `false`, this feature is **NOT** enabled until explicit
9191

9292
#### 3.1.2 Error code
9393
Following new error codes added to indicate ldaps enable related error
94-
- POOL_AUTH_ENABLE_FAILED_NO_CERTS, no certs can be used for ldaps, refer to 4.1.2 for certs finding.
95-
- POOL_AUTH_ENABLE_FAILED_INVALID_CERTS, found certs, but none of the certs can be used to connect to DC
96-
**Note**: Current error code handing infrustrucure requires the error code prefix with POOL_AUTH_ENABLE_FAILED
94+
- `POOL_AUTH_ENABLE_FAILED_NO_TRUSTED_CERTS`: no trusted certs can be used for ldaps, refer to 4.1.2 for trusted certs finding.
95+
- `POOL_AUTH_ENABLE_FAILED_INVALID_TRUSTED_CERTS`: found trusted certs, but none of the trusted certs can be used to connect to DC.
96+
- `POOL_AUTH_ENABLE_FAILED_SETUP_TLS_CONNECTION`: failed to set up TLS connection to DC (e.g. GnuTLS handshake failure such as `tstream_tls_sync_setup: GNUTLS ERROR`). The error message contains the underlying details reported by winbind.
97+
98+
**Note**: Current error code handling infrastructure requires the error code prefix with `POOL_AUTH_ENABLE_FAILED`.
9799

98100
### 3.2 Set/Get Pool LDAPS Status
99101

@@ -135,10 +137,11 @@ xe pool-external-auth-set-ldaps uuid=<uuid> ldaps=<true|false>
135137

136138
#### 3.2.1.2 Error code
137139
This API may raise following errors
138-
- AUTH_NO_CERTS, no certs found to enable ldaps, refer to 4.1.2 for certs finding
139-
- AUTH_INVALID_CERTS, found certs, but none of the certs can be used to connect to DC
140-
- AUTH_IS_DISABLED, AD is not enabled
141-
- AUTH_SET_LDAPS_FAILED, Failed to set ldaps, the error message contains the details like ldap query on domain failed
140+
- `AUTH_NO_TRUSTED_CERTS`: no trusted certs found to enable ldaps, refer to 4.1.2 for trusted certs finding.
141+
- `AUTH_INVALID_TRUSTED_CERTS`: found trusted certs, but none of the trusted certs can be used to connect to DC.
142+
- `AUTH_SETUP_TLS_CONNECTION`: failed to set up TLS CONNECTION to DC (e.g. GnuTLS handshake failure such as `tstream_tls_sync_setup: GNUTLS ERROR`). The error message contains the underlying details reported by winbind.
143+
- `AUTH_IS_DISABLED`: AD is not enabled.
144+
- `AUTH_SET_LDAPS_FAILED`: Failed to set ldaps, the error message contains the details like ldap query on domain failed.
142145

143146
#### 3.2.2 Get Pool LDAPS Status
144147

@@ -268,10 +271,10 @@ alt precheck failed
268271
client-->>user: precheck failed
269272
end
270273
271-
Note over client,coor: sync all ldaps certs
272-
client->>coor: pool.download_trusted_certificate
273-
coor-->>client:
274-
client->>join: pool.install_trusted_certificate
274+
Note over client,coor: sync trusted CA certs from coordinator to joining host
275+
client->>join: pool.sync_trusted_certificates_from
276+
join->>coor: pool.exchange_trusted_certificates_on_join
277+
coor-->>join:
275278
join-->>client:
276279
277280
user->>client: join domain username/password
@@ -289,15 +292,11 @@ client-->>user: pool.join succeed
289292

290293
**Detailed Steps:**
291294

292-
1. Client find proper `ldaps certs` from pool coordinator as `certs_pool`
293-
- a. find all certs `ldaps in purpose`
294-
- b. if no LDAPS certs, find all `general` certs
295-
2. Client find all certs in joining host as `certs_joining_host`
296-
3. Client identify the certs needs to be synced to joining host as `certs_to_sync = certs_pool - certs_joining_host` (certs in `certs_pool`, but not in `certs_joining_host`), the certs fingerprint should be used to identify the certs
297-
4. Client download all `certs_to_sync`, `pool.download_trusted_certificate` from coordinator
298-
5. Client upload all certs to joining pool, `pool.install_trusted_certificate` to joining pool, with the same purpose
299-
6. Client trigger `pool.join` again with domain username and password
300-
7. After pool.join:
295+
1. Client calls `pool.sync_trusted_certificates_from` to joiner host. The call will
296+
- a. download all trusted certificates from the pool, and
297+
- b. install the trusted certificates into the joiner host.
298+
2. Client trigger `pool.join` again with domain username and password
299+
3. After pool.join:
301300
- If pool.join failed, Client call `pool.uninstall_trusted_certificate` on joining host to revert the certs
302301
- If pool.join succeed, do nothing as pool.join would sync the certs anyway
303302

ocaml/idl/datamodel_certificate.ml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,13 @@ let certificate_type =
3737
let certificate_purpose =
3838
Enum
3939
( "certificate_purpose"
40-
, [("licensing", "Trusted certificates that are for licensing purpose.")]
40+
, [
41+
("licensing", "Trusted certificates that are for licensing purpose.")
42+
; ( "ldaps"
43+
, "Trusted certificates that are for LDAPS connections to external \
44+
authentication services."
45+
)
46+
]
4147
)
4248

4349
let t =

ocaml/idl/datamodel_errors.ml

Lines changed: 71 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -737,28 +737,54 @@ let _ =
737737
error Api_errors.auth_unknown_type ["type"]
738738
~doc:"Unknown type of external authentication." () ;
739739
error Api_errors.auth_is_disabled []
740-
~doc:"External authentication is disabled, unable to resolve subject name."
740+
~doc:"External authentication is disabled" () ;
741+
error Api_errors.auth_invalid_trusted_certs ["message"]
742+
~doc:
743+
"The trusted certificates are invalid to setup a TLS connection to \
744+
Active Directory."
745+
() ;
746+
error Api_errors.auth_no_trusted_certs ["message"]
747+
~doc:
748+
"No trusted CA certificates found to setup a TLS connection to Active \
749+
Directory"
741750
() ;
742751
error Api_errors.auth_enable_failed ["message"]
743752
~doc:"The host failed to enable external authentication." () ;
744753
error Api_errors.auth_enable_failed_wrong_credentials ["message"]
745-
~doc:"The host failed to enable external authentication." () ;
754+
~doc:"The host failed to enable external authentication, wrong credentials."
755+
() ;
746756
error Api_errors.auth_enable_failed_permission_denied ["message"]
747-
~doc:"The host failed to enable external authentication." () ;
757+
~doc:"The host failed to enable external authentication, permission denied."
758+
() ;
748759
error Api_errors.auth_enable_failed_domain_lookup_failed ["message"]
749760
~doc:"The host failed to enable external authentication." () ;
750761
error Api_errors.auth_enable_failed_unavailable ["message"]
751762
~doc:"The host failed to enable external authentication." () ;
752763
error Api_errors.auth_enable_failed_invalid_ou ["message"]
753-
~doc:"The host failed to enable external authentication." () ;
764+
~doc:"The host failed to enable external authentication, invalid OU." () ;
754765
error Api_errors.auth_enable_failed_invalid_account ["message"]
755-
~doc:"The host failed to enable external authentication." () ;
766+
~doc:"The host failed to enable external authentication, invalid account."
767+
() ;
768+
error Api_errors.auth_enable_failed_invalid_trusted_certs ["message"]
769+
~doc:
770+
"The host failed to enable external authentication, invalid trusted \
771+
certificates."
772+
() ;
773+
error Api_errors.auth_enable_failed_no_trusted_certs ["message"]
774+
~doc:
775+
"The host failed to enable external authentication, no trusted \
776+
certificates"
777+
() ;
756778
error Api_errors.auth_disable_failed ["message"]
757779
~doc:"The host failed to disable external authentication." () ;
758780
error Api_errors.auth_disable_failed_wrong_credentials ["message"]
759-
~doc:"The host failed to disable external authentication." () ;
781+
~doc:
782+
"The host failed to disable external authentication, wrong credentials."
783+
() ;
760784
error Api_errors.auth_disable_failed_permission_denied ["message"]
761-
~doc:"The host failed to disable external authentication." () ;
785+
~doc:
786+
"The host failed to disable external authentication, permission denied."
787+
() ;
762788
error Api_errors.host_evacuate_in_progress ["host"]
763789
~doc:"This host is being evacuated." () ;
764790

@@ -827,21 +853,54 @@ let _ =
827853
error Api_errors.pool_auth_enable_failed ["host"; "message"]
828854
~doc:"The pool failed to enable external authentication." () ;
829855
error Api_errors.pool_auth_enable_failed_wrong_credentials ["host"; "message"]
830-
~doc:"The pool failed to enable external authentication." () ;
856+
~doc:"The pool failed to enable external authentication, wrong credentials."
857+
() ;
831858
error Api_errors.pool_auth_enable_failed_permission_denied ["host"; "message"]
832-
~doc:"The pool failed to enable external authentication." () ;
859+
~doc:"The pool failed to enable external authentication, permission denied."
860+
() ;
833861
error Api_errors.pool_auth_enable_failed_domain_lookup_failed
834862
["host"; "message"]
835863
~doc:"The pool failed to enable external authentication." () ;
836864
error Api_errors.pool_auth_enable_failed_unavailable ["host"; "message"]
837865
~doc:"The pool failed to enable external authentication." () ;
838866
error Api_errors.pool_auth_enable_failed_duplicate_hostname
839867
["host"; "message"]
840-
~doc:"The pool failed to enable external authentication." () ;
868+
~doc:
869+
"The pool failed to enable external authentication, duplicate hostname."
870+
() ;
841871
error Api_errors.pool_auth_enable_failed_invalid_ou ["host"; "message"]
842-
~doc:"The pool failed to enable external authentication." () ;
872+
~doc:"The pool failed to enable external authentication, invalid OU" () ;
843873
error Api_errors.pool_auth_enable_failed_invalid_account ["host"; "message"]
844-
~doc:"The pool failed to enable external authentication." () ;
874+
~doc:"The pool failed to enable external authentication, invalid account."
875+
() ;
876+
error Api_errors.pool_auth_enable_failed_invalid_trusted_certs
877+
["host"; "message"]
878+
~doc:
879+
"The pool failed to enable external authentication, invalid trusted \
880+
certificates."
881+
() ;
882+
error Api_errors.pool_auth_enable_failed_no_trusted_certs ["host"; "message"]
883+
~doc:
884+
"The pool failed to enable external authentication, no trusted \
885+
certificates."
886+
() ;
887+
error Api_errors.pool_auth_enable_failed_no_supp_encrypt_type
888+
["host"; "message"]
889+
~doc:
890+
"The pool failed to enable external authentication: domain does not \
891+
support encryption type, make sure AES based encryption type is enabled \
892+
in kerberos authentication in AD and Administrator is not in use"
893+
() ;
894+
error Api_errors.pool_auth_enable_failed_setup_tls_connection
895+
["host"; "message"]
896+
~doc:
897+
"The pool failed to enable external authentication, failed to set up TLS \
898+
connection."
899+
() ;
900+
error Api_errors.auth_setup_tls_connection ["message"]
901+
~doc:"Failed to set up TLS connection for external authentication." () ;
902+
error Api_errors.auth_set_ldaps_failed ["host"; "message"]
903+
~doc:"The pool failed to set LDAPS configuration." () ;
845904
error Api_errors.pool_auth_disable_failed ["host"; "message"]
846905
~doc:
847906
"The pool failed to disable the external authentication of at least one \

ocaml/idl/datamodel_host.ml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2044,6 +2044,45 @@ let disable_external_auth =
20442044
~doc:"This call disables external authentication on the local host"
20452045
~allowed_roles:_R_POOL_ADMIN ()
20462046

2047+
let external_auth_set_ldaps =
2048+
call ~flags:[`Session] ~name:"external_auth_set_ldaps" ~in_oss_since:None
2049+
~lifecycle:
2050+
[
2051+
( Published
2052+
, "26.15.0-next"
2053+
, "This call enables or disables LDAPS for external authentication on \
2054+
the host"
2055+
)
2056+
]
2057+
~versioned_params:
2058+
[
2059+
{
2060+
param_type= Ref _host
2061+
; param_name= "host"
2062+
; param_doc= "The host whose LDAPS configuration should be set"
2063+
; param_release= numbered_release "26.15.0-next"
2064+
; param_default= None
2065+
}
2066+
; {
2067+
param_type= Bool
2068+
; param_name= "ldaps"
2069+
; param_doc= "Whether to enable or disable LDAPS"
2070+
; param_release= numbered_release "26.15.0-next"
2071+
; param_default= None
2072+
}
2073+
; {
2074+
param_type= Bool
2075+
; param_name= "force"
2076+
; param_doc= "Force the operation even if already in the desired state"
2077+
; param_release= numbered_release "26.15.0-next"
2078+
; param_default= Some (VBool false)
2079+
}
2080+
]
2081+
~doc:
2082+
"This call enables or disables LDAPS for external authentication on the \
2083+
host"
2084+
~allowed_roles:_R_POOL_ADMIN ()
2085+
20472086
let set_license_params =
20482087
call ~name:"set_license_params"
20492088
~lifecycle:
@@ -2829,6 +2868,7 @@ let t =
28292868
; disable_binary_storage
28302869
; enable_external_auth
28312870
; disable_external_auth
2871+
; external_auth_set_ldaps
28322872
; retrieve_wlb_evacuate_recommendations
28332873
; install_ca_certificate
28342874
; uninstall_ca_certificate

ocaml/idl/datamodel_lifecycle.ml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -311,6 +311,8 @@ let prototyped_of_message = function
311311
Some "26.13.0"
312312
| "pool", "exchange_trusted_certificates_on_join" ->
313313
Some "26.13.0"
314+
| "pool", "sync_trusted_certificates_from" ->
315+
Some "26.15.0-next"
314316
| "pool", "uninstall_trusted_certificate" ->
315317
Some "26.13.0"
316318
| "pool", "install_trusted_certificate" ->

ocaml/idl/datamodel_pool.ml

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -660,6 +660,45 @@ let disable_external_auth =
660660
"This call disables external authentication on all the hosts of the pool"
661661
~allowed_roles:_R_POOL_ADMIN ()
662662

663+
let external_auth_set_ldaps =
664+
call ~flags:[`Session] ~name:"external_auth_set_ldaps" ~in_oss_since:None
665+
~lifecycle:
666+
[
667+
( Published
668+
, "26.15.0-next"
669+
, "This call enables or disables LDAPS for external authentication on \
670+
all hosts in the pool"
671+
)
672+
]
673+
~versioned_params:
674+
[
675+
{
676+
param_type= Ref _pool
677+
; param_name= "pool"
678+
; param_doc= "The pool whose LDAPS configuration should be set"
679+
; param_release= numbered_release "26.15.0-next"
680+
; param_default= None
681+
}
682+
; {
683+
param_type= Bool
684+
; param_name= "ldaps"
685+
; param_doc= "Whether to enable or disable LDAPS"
686+
; param_release= numbered_release "26.15.0-next"
687+
; param_default= None
688+
}
689+
; {
690+
param_type= Bool
691+
; param_name= "force"
692+
; param_doc= "Force the operation even if already in the desired state"
693+
; param_release= numbered_release "26.15.0-next"
694+
; param_default= Some (VBool false)
695+
}
696+
]
697+
~doc:
698+
"This call enables or disables LDAPS for external authentication on all \
699+
hosts in the pool"
700+
~allowed_roles:_R_POOL_ADMIN ()
701+
663702
let detect_nonhomogeneous_external_auth =
664703
call ~flags:[`Session] ~name:"detect_nonhomogeneous_external_auth"
665704
~in_oss_since:None
@@ -1663,6 +1702,36 @@ let uninstall_trusted_certificate =
16631702
~allowed_roles:(_R_POOL_OP ++ _R_CLIENT_CERT)
16641703
~lifecycle:[] ()
16651704

1705+
let sync_trusted_certificates_from =
1706+
call ~name:"sync_trusted_certificates_from"
1707+
~doc:
1708+
"Download trusted TLS certificates from a remote pool and install them \
1709+
in this pool. Certificates already present locally (matched by \
1710+
fingerprint and purpose) are skipped."
1711+
~params:
1712+
[
1713+
(Ref _pool, "self", "The pool")
1714+
; ( String
1715+
, "remote_pool"
1716+
, "The hostname or IP address of the coordinator of the remote pool \
1717+
from which the certificates are downloaded"
1718+
)
1719+
; ( Ref _session
1720+
, "remote_session"
1721+
, "A session obtained from the remote pool, used to authenticate the \
1722+
download"
1723+
)
1724+
; ( String
1725+
, "remote_certificate"
1726+
, "The PEM-encoded TLS certificate of the remote pool's coordinator, \
1727+
used to verify the TLS connection to the remote pool."
1728+
)
1729+
; (Bool, "ca", "true for 'ca' or false for 'pinned'")
1730+
]
1731+
~result:(Set (Ref _certificate), "The references of certificates synced.")
1732+
~allowed_roles:(_R_POOL_OP ++ _R_CLIENT_CERT)
1733+
~lifecycle:[] ()
1734+
16661735
let trusted_certs = Map (String, Set String)
16671736

16681737
let exchange_trusted_certificates_on_join =
@@ -1752,6 +1821,7 @@ let t =
17521821
; disable_binary_storage
17531822
; enable_external_auth
17541823
; disable_external_auth
1824+
; external_auth_set_ldaps
17551825
; detect_nonhomogeneous_external_auth
17561826
; initialize_wlb
17571827
; deconfigure_wlb
@@ -1814,6 +1884,7 @@ let t =
18141884
; set_ssh_auto_mode
18151885
; install_trusted_certificate
18161886
; uninstall_trusted_certificate
1887+
; sync_trusted_certificates_from
18171888
; exchange_trusted_certificates_on_join
18181889
; exchange_crls_on_join
18191890
]

ocaml/idl/schematest.ml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ let hash x = Digest.string x |> Digest.to_hex
33
(* BEWARE: if this changes, check that schema has been bumped accordingly in
44
ocaml/idl/datamodel_common.ml, usually schema_minor_vsn *)
55

6-
let last_known_schema_hash = "6147ef4f0f9c3bbbf0c2061e0a0d0010"
6+
let last_known_schema_hash = "981fd4b2f96e75ee70540759ebd0f37d"
77

88
let current_schema_hash : string =
99
let open Datamodel_types in

ocaml/libs/stunnel/stunnel.ml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -224,9 +224,9 @@ let config_file ?(accept = None) config host port =
224224
)
225225
; [Printf.sprintf "connect=%s:%d" host port]
226226
; [
227-
"sslVersion = TLSv1.2"
228-
; "ciphers = " ^ Constants.good_ciphersuites
229-
; "curve = secp384r1"
227+
Printf.sprintf "sslVersion = %s" Tls_policy.Openssl.default_version
228+
; Printf.sprintf "ciphers = %s" Tls_policy.Openssl.default_ciphers
229+
; Printf.sprintf "curve = %s" Tls_policy.Openssl.default_curve
230230
]
231231
; ( match config with
232232
| None ->

0 commit comments

Comments
 (0)