ldap_server: Add the krb5 expiry to conn->limits

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 5cddecd79be44615925036846b8d68527348235b..54493d040fffaa01cc9357969acf2ca336ddae3b 100644 (file)
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -29,6 +29,7 @@
 #include "auth/gensec/gensec_tstream.h"
 #include "param/param.h"
 #include "../lib/util/tevent_ntstatus.h"
+#include "lib/util/time_basic.h"
 
 static char *ldapsrv_bind_error_msg(TALLOC_CTX *mem_ctx,
                                    HRESULT hresult,
@@ -483,6 +484,7 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq)
        const char *errstr = NULL;
        char *ldb_errstring = NULL;
        DATA_BLOB output = data_blob_null;
+       NTTIME expire_time_nt;
 
        status = gensec_update_recv(subreq, call, &output);
        TALLOC_FREE(subreq);
@@ -602,6 +604,19 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq)
                goto do_reply;
        }
 
+       expire_time_nt = gensec_expire_time(conn->gensec);
+       if (expire_time_nt != GENSEC_EXPIRE_TIME_INFINITY) {
+               struct timeval_buf buf;
+
+               nttime_to_timeval(&conn->limits.expire_time, expire_time_nt);
+
+               DBG_DEBUG("Setting connection expire_time to %s\n",
+                         timeval_str_buf(&conn->limits.expire_time,
+                                         false,
+                                         true,
+                                         &buf));
+       }
+
        if (context != NULL) {
                const void *ptr = NULL;
 

diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index cd291c061be56e35f023b6e87453c10b68afe313..036dfaab5ae96bb886dda084a4032c3ce20e8eaa 100644 (file)
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -47,6 +47,7 @@
 #include "../lib/util/tevent_ntstatus.h"
 #include "../libcli/util/tstream.h"
 #include "libds/common/roles.h"
+#include "lib/util/time.h"
 
 static void ldapsrv_terminate_connection_done(struct tevent_req *subreq);
 
@@ -178,6 +179,9 @@ static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
        conn->limits.max_page_size = 1000;
        conn->limits.max_notifications = 5;
        conn->limits.search_timeout = 120;
+       conn->limits.expire_time = (struct timeval) {
+               .tv_sec = get_time_t_max(),
+       };
 
 
        tmp_ctx = talloc_new(conn);

diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h
index e1efe8a4943855534c33508aa1f9cbf8b895a416..74c19fd2fbc4f1ccd8ea7943ab325b2db3401c79 100644 (file)
--- a/source4/ldap_server/ldap_server.h
+++ b/source4/ldap_server/ldap_server.h
@@ -61,6 +61,7 @@ struct ldapsrv_connection {
                int max_notifications;
                int search_timeout;
                struct timeval endtime;
+               struct timeval expire_time; /* Krb5 ticket expiry */
                const char *reason;
        } limits;