r23945: add infrastructure to select plain, sign or seal LDAP connection

metze
(This used to be commit 2075c05b3d8baa7d6d8510cd962471a5781740a6)

diff --git a/source3/include/ads.h b/source3/include/ads.h
index c103c3a43ee13db36199e8786de54a3135a10402..1c02366ed4b636934b2554bb3a26bd550444fcc8 100644 (file)
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -39,6 +39,12 @@ struct ads_saslwrap_ops {
        ADS_STATUS (*disconnect)(struct ads_struct *);
 };
 
+enum ads_saslwrap_type {
+       ADS_SASLWRAP_TYPE_PLAIN = 1,
+       ADS_SASLWRAP_TYPE_SIGN = 2,
+       ADS_SASLWRAP_TYPE_SEAL = 4
+} wrap_type;
+
 typedef struct ads_struct {
        int is_mine;    /* do I own this structure's memory? */
        
@@ -85,8 +91,11 @@ typedef struct ads_struct {
                time_t last_attempt; /* last attempt to reconnect */
                int port;
 
+               enum ads_saslwrap_type wrap_type;
+
 #ifdef HAVE_LDAP_SASL_WRAPPING
                Sockbuf_IO_Desc *sbiod; /* lowlevel state for LDAP wrapping */
+#endif /* HAVE_LDAP_SASL_WRAPPING */
                TALLOC_CTX *mem_ctx;
                const struct ads_saslwrap_ops *wrap_ops;
                void *wrap_private_data;
@@ -108,7 +117,6 @@ typedef struct ads_struct {
                        uint32 size;
                        uint8 *buf;
                } out;
-#endif /* HAVE_LDAP_SASL_WRAPPING */
        } ldap;
 #endif /* HAVE_LDAP */
 } ADS_STRUCT;
@@ -321,6 +329,9 @@ typedef void **ADS_MODLIST;
 #define ADS_AUTH_ANON_BIND        0x04
 #define ADS_AUTH_SIMPLE_BIND      0x08
 #define ADS_AUTH_ALLOW_NTLMSSP    0x10
+#define ADS_AUTH_SASL_SIGN        0x20
+#define ADS_AUTH_SASL_SEAL        0x40
+#define ADS_AUTH_SASL_FORCE       0x80
 
 /* Kerberos environment variable names */
 #define KRB5_ENV_CCNAME "KRB5CCNAME"

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index fe7add5e75122a116e5a9fb4a96226fdf5369814..0b732297362cd1b93def6e234be0c5ba6850f4a2 100644 (file)
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -372,8 +372,9 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
        ADS_STATUS status;
        NTSTATUS ntstatus;
 
-       ads->ldap.last_attempt = time(NULL);
-       ads->ldap.ld = NULL;
+       ZERO_STRUCT(ads->ldap);
+       ads->ldap.last_attempt  = time(NULL);
+       ads->ldap.wrap_type     = ADS_SASLWRAP_TYPE_PLAIN;
 
        /* try with a user specified server */
 
@@ -423,6 +424,11 @@ got_connection:
        if (ads->auth.flags & ADS_AUTH_NO_BIND) {
                return ADS_SUCCESS;
        }
+
+       ads->ldap.mem_ctx = talloc_new("ads LDAP connection memory");
+       if (!ads->ldap.mem_ctx) {
+               return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+       }
        
        /* Otherwise setup the TCP LDAP session */
 
@@ -475,6 +481,13 @@ void ads_disconnect(ADS_STRUCT *ads)
                ldap_unbind(ads->ldap.ld);
                ads->ldap.ld = NULL;
        }
+       if (ads->ldap.wrap_ops && ads->ldap.wrap_ops->disconnect) {
+               ads->ldap.wrap_ops->disconnect(ads);
+       }
+       if (ads->ldap.mem_ctx) {
+               talloc_free(ads->ldap.mem_ctx);
+       }
+       ZERO_STRUCT(ads->ldap);
 }
 
 /*

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index a73545f8e59384aeb65d5ecf9f47cdab46b12cca..94600d72344412998f089c74324db3b3db70d6c6 100644 (file)
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -517,6 +517,14 @@ ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
 
        values = ldap_get_values(ads->ldap.ld, res, "supportedSASLMechanisms");
 
+       if (ads->auth.flags & ADS_AUTH_SASL_SEAL) {
+               ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SEAL;
+       } else if (ads->auth.flags & ADS_AUTH_SASL_SIGN) {
+               ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SIGN;
+       } else {
+               ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
+       }
+
        /* try our supported mechanisms in order */
        for (i=0;sasl_mechanisms[i].name;i++) {
                /* see if the server supports it */