s3:libads: retry with signing after getting LDAP_STRONG_AUTH_REQUIRED

If server requires LDAP signing we're getting LDAP_STRONG_AUTH_REQUIRED,
if "client ldap sasl wrapping = plain", instead of failing we now
autoupgrade to "client ldap sasl wrapping = sign" for the given connection.

metze
(cherry picked from commit cc2ef27e369f0950ec931bf15cba4665c053ac53)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 3182b936e01d2c1b309b11bcf8ddcb2f5be6be41..3385d4918a03adecb079352bea6b25a8fe526384 100644 (file)
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1110,7 +1110,17 @@ ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
                for (j=0;values && values[j];j++) {
                        if (strcmp(values[j], sasl_mechanisms[i].name) == 0) {
                                DEBUG(4,("Found SASL mechanism %s\n", values[j]));
+retry:
                                status = sasl_mechanisms[i].fn(ads);
+                               if (status.error_type == ENUM_ADS_ERROR_LDAP &&
+                                   status.err.rc == LDAP_STRONG_AUTH_REQUIRED &&
+                                   ads->ldap.wrap_type == ADS_SASLWRAP_TYPE_PLAIN)
+                               {
+                                       DEBUG(3,("SASL bin got LDAP_STRONG_AUTH_REQUIRED "
+                                                "retrying with signing enabled\n"));
+                                       ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SIGN;
+                                       goto retry;
+                               }
                                ldap_value_free(values);
                                ldap_msgfree(res);
                                return status;