r23945: add infrastructure to select plain, sign or seal LDAP connection

metze
(This used to be commit 2075c05b3d8baa7d6d8510cd962471a5781740a6)

source3/include/ads.h

@@ -39,6 +39,12 @@ struct ads_saslwrap_ops {
 	ADS_STATUS (*disconnect)(struct ads_struct *);
 };
 
+enum ads_saslwrap_type {
+	ADS_SASLWRAP_TYPE_PLAIN = 1,
+	ADS_SASLWRAP_TYPE_SIGN = 2,
+	ADS_SASLWRAP_TYPE_SEAL = 4
+} wrap_type;
+
 typedef struct ads_struct {
 	int is_mine;	/* do I own this structure's memory? */
 	
@@ -85,8 +91,11 @@ typedef struct ads_struct {
 		time_t last_attempt; /* last attempt to reconnect */
 		int port;
 
+		enum ads_saslwrap_type wrap_type;
+
 #ifdef HAVE_LDAP_SASL_WRAPPING
 		Sockbuf_IO_Desc *sbiod; /* lowlevel state for LDAP wrapping */
+#endif /* HAVE_LDAP_SASL_WRAPPING */
 		TALLOC_CTX *mem_ctx;
 		const struct ads_saslwrap_ops *wrap_ops;
 		void *wrap_private_data;
@@ -108,7 +117,6 @@ typedef struct ads_struct {
 			uint32 size;
 			uint8 *buf;
 		} out;
-#endif /* HAVE_LDAP_SASL_WRAPPING */
 	} ldap;
 #endif /* HAVE_LDAP */
 } ADS_STRUCT;
@@ -321,6 +329,9 @@ typedef void **ADS_MODLIST;
 #define ADS_AUTH_ANON_BIND        0x04
 #define ADS_AUTH_SIMPLE_BIND      0x08
 #define ADS_AUTH_ALLOW_NTLMSSP    0x10
+#define ADS_AUTH_SASL_SIGN        0x20
+#define ADS_AUTH_SASL_SEAL        0x40
+#define ADS_AUTH_SASL_FORCE       0x80
 
 /* Kerberos environment variable names */
 #define KRB5_ENV_CCNAME "KRB5CCNAME"

source3/libads/ldap.c

@@ -372,8 +372,9 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
 	ADS_STATUS status;
 	NTSTATUS ntstatus;
 
-	ads->ldap.last_attempt = time(NULL);
-	ads->ldap.ld = NULL;
+	ZERO_STRUCT(ads->ldap);
+	ads->ldap.last_attempt	= time(NULL);
+	ads->ldap.wrap_type	= ADS_SASLWRAP_TYPE_PLAIN;
 
 	/* try with a user specified server */
 
@@ -423,6 +424,11 @@ got_connection:
 	if (ads->auth.flags & ADS_AUTH_NO_BIND) {
 		return ADS_SUCCESS;
 	}
+
+	ads->ldap.mem_ctx = talloc_new("ads LDAP connection memory");
+	if (!ads->ldap.mem_ctx) {
+		return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+	}
 	
 	/* Otherwise setup the TCP LDAP session */
 
@@ -475,6 +481,13 @@ void ads_disconnect(ADS_STRUCT *ads)
 		ldap_unbind(ads->ldap.ld);
 		ads->ldap.ld = NULL;
 	}
+	if (ads->ldap.wrap_ops && ads->ldap.wrap_ops->disconnect) {
+		ads->ldap.wrap_ops->disconnect(ads);
+	}
+	if (ads->ldap.mem_ctx) {
+		talloc_free(ads->ldap.mem_ctx);
+	}
+	ZERO_STRUCT(ads->ldap);
 }
 
 /*

source3/libads/sasl.c

@@ -517,6 +517,14 @@ ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
 
 	values = ldap_get_values(ads->ldap.ld, res, "supportedSASLMechanisms");
 
+	if (ads->auth.flags & ADS_AUTH_SASL_SEAL) {
+		ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SEAL;
+	} else if (ads->auth.flags & ADS_AUTH_SASL_SIGN) {
+		ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SIGN;
+	} else {
+		ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
+	}
+
 	/* try our supported mechanisms in order */
 	for (i=0;sasl_mechanisms[i].name;i++) {
 		/* see if the server supports it */