#include "libcli/ldap/ldap_client.h"
#include "lib/tls/tls.h"
#include "auth/gensec/gensec.h"
-#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
#include "source4/auth/gensec/gensec_tstream.h"
#include "auth/credentials/credentials.h"
#include "lib/stream/packet.h"
unsigned int logon_retries = 0;
size_t queue_length;
const DATA_BLOB *tls_cb = NULL;
+ bool use_channel_bound = lpcfg_parm_bool(lp_ctx,
+ NULL,
+ "ldap_testing",
+ "channel_bound",
+ true);
+ const char *forced_channel_binding = lpcfg_parm_string(lp_ctx,
+ NULL,
+ "ldap_testing",
+ "forced_channel_binding");
+ DATA_BLOB forced_cb = data_blob_string_const(forced_channel_binding);
if (conn->sockets.active == NULL) {
status = NT_STATUS_CONNECTION_DISCONNECTED;
wrap_flags = lpcfg_client_ldap_sasl_wrapping(lp_ctx);
}
+ if (forced_cb.length != 0) {
+ tls_cb = &forced_cb;
+ }
+
try_logon_again:
/*
we loop back here on a logon failure, and re-create the
gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
}
+ if (!use_channel_bound) {
+ gensec_want_feature(conn->gensec, GENSEC_FEATURE_CB_OPTIONAL);
+ }
+
/*
* This is an indication for the NTLMSSP backend to
* also encrypt when only GENSEC_FEATURE_SIGN is requested
acceptor_address,
application_data);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to set GENSEC channel bindings: %s\n",
- nt_errstr(status)));
+ DBG_WARNING("Failed to set GENSEC channel bindings: %s\n",
+ nt_errstr(status));
goto failed;
}
}
}
first = false;
- /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
- msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));
+ msg = new_ldap_sasl_bind_msg(tmp_ctx,
+ sasl_mech,
+ output.data != NULL ? &output : NULL);
if (msg == NULL) {
status = NT_STATUS_NO_MEMORY;
goto failed;