#include "lib/param/loadparm.h"
#include "libsmb/namequery.h"
#include "../librpc/gen_ndr/ndr_ads.h"
+#include "auth/credentials/credentials.h"
#ifdef HAVE_LDAP
c_realm, c_domain, nt_errstr(status)));
return status;
}
+
/**
* Connect to the LDAP server
* @param ads Pointer to an existing ADS_STRUCT
* @return status of connection
**/
-ADS_STATUS ads_connect(ADS_STRUCT *ads)
+static ADS_STATUS ads_connect_internal(ADS_STRUCT *ads,
+ struct cli_credentials *creds)
{
int version = LDAP_VERSION3;
ADS_STATUS status;
zero_sockaddr(&existing_ss);
+ if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
+ SMB_ASSERT(creds != NULL);
+ }
+
+ if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
+ /*
+ * Simple anonyous binds are only
+ * allowed for anonymous credentials
+ */
+ SMB_ASSERT(cli_credentials_is_anonymous(creds));
+ }
+
/*
* ads_connect can be passed in a reused ADS_STRUCT
* with an existing non-zero ads->ldap.ss IP address
goto out;
}
- status = ads_sasl_bind(ads);
+ status = ads_sasl_bind(ads, creds);
out:
if (DEBUGLEVEL >= 11) {
return status;
}
+/*
+ * Connect to the LDAP server
+ * @param ads Pointer to an existing ADS_STRUCT
+ * @return status of connection
+ **/
+ADS_STATUS ads_connect(ADS_STRUCT *ads)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct cli_credentials *creds = NULL;
+ ADS_STATUS status;
+ NTSTATUS ntstatus;
+
+ ntstatus = ads_legacy_creds(ads, frame, &creds);
+ if (!NT_STATUS_IS_OK(ntstatus)) {
+ TALLOC_FREE(frame);
+ return ADS_ERROR_NT(ntstatus);
+ }
+
+ status = ads_connect_internal(ads, creds);
+ TALLOC_FREE(frame);
+ return status;
+}
+
/**
* Connect to the LDAP server using given credentials
* @param ads Pointer to an existing ADS_STRUCT
/*
this performs a SASL/SPNEGO bind
*/
-static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads,
+ struct cli_credentials *creds)
{
TALLOC_CTX *frame = talloc_stackframe();
struct ads_service_principal p = {0};
- struct cli_credentials *creds = NULL;
- NTSTATUS nt_status;
ADS_STATUS status;
const char *mech = NULL;
const char *debug_username = NULL;
enum credentials_use_kerberos krb5_state;
+ krb5_state = cli_credentials_get_kerberos_state(creds);
+
status = ads_generate_service_principal(ads, &p);
if (!ADS_ERR_OK(status)) {
goto done;
}
- nt_status = ads_legacy_creds(ads, frame, &creds);
- if (!NT_STATUS_IS_OK(nt_status)) {
- status = ADS_ERROR_NT(nt_status);
- goto done;
- }
-
debug_username = cli_credentials_get_unparsed_name(creds, frame);
if (debug_username == NULL) {
status = ADS_ERROR_SYSTEM(errno);
goto done;
}
- krb5_state = cli_credentials_get_kerberos_state(creds);
-
#ifdef HAVE_KRB5
if (krb5_state != CRED_USE_KERBEROS_DISABLED &&
!is_ipaddress(p.hostname))
return status;
}
-ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
+ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads, struct cli_credentials *creds)
{
ADS_STATUS status;
struct ads_saslwrap *wrap = &ads->ldap_wrap_data;
}
retry:
- status = ads_sasl_spnego_bind(ads);
+ status = ads_sasl_spnego_bind(ads, creds);
if (status.error_type == ENUM_ADS_ERROR_LDAP &&
status.err.rc == LDAP_STRONG_AUTH_REQUIRED &&
!tls &&