1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-01-24 10:43:42 +01:00 committed by Andrew Bartlett
parent 0f8a7c9ef6
commit 0122c0a698
2 changed files with 89 additions and 4 deletions

View File

@ -38,6 +38,7 @@
#include "system/time.h"
#include "param/param.h"
#include "libcli/resolve/resolve.h"
#include "librpc/gen_ndr/ads.h"
static void ldap_connection_dead(struct ldap_connection *conn, NTSTATUS status);
@ -503,9 +504,30 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
}
if ((proto == LDAP_PROTO_LDAP) || (proto == LDAP_PROTO_LDAPS)) {
int wrap_flags = lpcfg_client_ldap_sasl_wrapping(conn->lp_ctx);
conn->ldaps = (proto == LDAP_PROTO_LDAPS);
if (wrap_flags & ADS_AUTH_SASL_LDAPS) {
if (proto == LDAP_PROTO_LDAP) {
if (port == 389) {
port = 636;
proto = LDAP_PROTO_LDAPS;
} else if (port == 3268) {
port = 3269;
proto = LDAP_PROTO_LDAPS;
} else {
conn->starttls = true;
}
}
conn->ldaps = true;
} else if (wrap_flags & ADS_AUTH_SASL_STARTTLS) {
if (proto == LDAP_PROTO_LDAP) {
conn->starttls = true;
}
conn->ldaps = true;
}
conn->host = talloc_move(conn, &dest);
conn->port = port;
@ -538,6 +560,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
return NULL;
}
static void ldap_connect_starttls_done(struct ldap_request *ldap_req);
static void ldap_connect_got_tls(struct tevent_req *subreq);
static void ldap_connect_got_sock(struct composite_context *ctx,
@ -570,15 +593,77 @@ static void ldap_connect_got_sock(struct composite_context *ctx,
return;
}
conn->sockets.raw = talloc_move(conn, &state->raw);
conn->sockets.active = conn->sockets.raw;
if (!conn->ldaps) {
conn->sockets.raw = talloc_move(conn, &state->raw);
conn->sockets.active = conn->sockets.raw;
composite_done(state->ctx);
return;
}
if (conn->starttls) {
struct ldap_message msg = {
.type = LDAP_TAG_ExtendedRequest,
.r.ExtendedRequest.oid = LDB_EXTENDED_START_TLS_OID,
};
struct ldap_request *ldap_req = NULL;
ldap_req = ldap_request_send(conn, &msg);
if (composite_nomem(ldap_req, state->ctx)) {
return;
}
ldap_req->async.fn = ldap_connect_starttls_done;
ldap_req->async.private_data = state;
return;
}
subreq = tstream_tls_connect_send(state, state->ctx->event_ctx,
state->raw, state->tls_params);
conn->sockets.raw, state->tls_params);
if (composite_nomem(subreq, state->ctx)) {
return;
}
tevent_req_set_callback(subreq, ldap_connect_got_tls, state);
}
static void ldap_connect_starttls_done(struct ldap_request *ldap_req)
{
struct ldap_connect_state *state =
talloc_get_type_abort(ldap_req->async.private_data,
struct ldap_connect_state);
struct ldap_connection *conn = state->conn;
NTSTATUS status = ldap_req->status;
struct tevent_req *subreq = NULL;
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(ldap_req);
composite_error(state->ctx, status);
return;
}
if (ldap_req->num_replies != 1) {
TALLOC_FREE(ldap_req);
status = NT_STATUS_INVALID_NETWORK_RESPONSE;
composite_error(state->ctx, status);
return;
}
if (ldap_req->replies[0]->type != LDAP_TAG_ExtendedResponse) {
TALLOC_FREE(ldap_req);
status = NT_STATUS_INVALID_NETWORK_RESPONSE;
composite_error(state->ctx, status);
return;
}
status = ldap_check_response(conn,
&ldap_req->replies[0]->r.GeneralResult);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(ldap_req);
composite_error(state->ctx, status);
return;
}
subreq = tstream_tls_connect_send(state, state->ctx->event_ctx,
conn->sockets.raw, state->tls_params);
if (composite_nomem(subreq, state->ctx)) {
return;
}
@ -603,7 +688,6 @@ static void ldap_connect_got_tls(struct tevent_req *subreq)
talloc_steal(state->tls, state->tls_params);
state->conn->sockets.raw = talloc_move(state->conn, &state->raw);
state->conn->sockets.tls = talloc_move(state->conn->sockets.raw,
&state->tls);
state->conn->sockets.active = state->conn->sockets.tls;

View File

@ -68,6 +68,7 @@ struct ldap_connection {
char *host;
uint16_t port;
bool ldaps;
bool starttls;
const char *auth_dn;
const char *simple_pw;