ldap server: generate correct referral schemes

Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184

lib/ldb/include/ldb_module.h

@@ -103,6 +103,11 @@ struct ldb_module;
  * attributes, not to be printed in trace messages */
 #define LDB_SECRET_ATTRIBUTE_LIST_OPAQUE "LDB_SECRET_ATTRIBUTE_LIST"
 
+/*
+ * The scheme to be used for referral entries, i.e. ldap or ldaps
+ */
+#define LDAP_REFERRAL_SCHEME_OPAQUE "LDAP_REFERRAL_SCHEME"
+
 /*
    these function pointers define the operations that a ldb module can intercept
 */

selftest/knownfail.d/ldap_referrals

@@ -1 +0,0 @@
-^samba.ldap.referrals.samba.tests.ldap_referrals.LdapReferralTest.test_ldaps_search

source4/dsdb/samdb/ldb_modules/partition.c

@@ -902,11 +902,17 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req)
 						 data->partitions[i]->ctrl->dn) == 0) &&
 			    (ldb_dn_compare(req->op.search.base,
 					    data->partitions[i]->ctrl->dn) != 0)) {
-				char *ref = talloc_asprintf(ac,
-							    "ldap://%s/%s%s",
-							    lpcfg_dnsdomain(lp_ctx),
-							    ldb_dn_get_linearized(data->partitions[i]->ctrl->dn),
-							    req->op.search.scope == LDB_SCOPE_ONELEVEL ? "??base" : "");
+				const char *scheme = ldb_get_opaque(
+				    ldb, LDAP_REFERRAL_SCHEME_OPAQUE);
+				char *ref = talloc_asprintf(
+					ac,
+					"%s://%s/%s%s",
+					scheme == NULL ? "ldap" : scheme,
+					lpcfg_dnsdomain(lp_ctx),
+					ldb_dn_get_linearized(
+					    data->partitions[i]->ctrl->dn),
+					req->op.search.scope ==
+					    LDB_SCOPE_ONELEVEL ? "??base" : "");
 
 				if (ref == NULL) {
 					return ldb_oom(ldb);

source4/ldap_server/ldap_backend.c

@@ -853,6 +853,24 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
 		call->notification.busy = true;
 	}
 
+	{
+		const char *scheme = NULL;
+		switch (call->conn->referral_scheme) {
+		case LDAP_REFERRAL_SCHEME_LDAPS:
+			scheme = "ldaps";
+			break;
+		default:
+			scheme = "ldap";
+		}
+		ldb_ret = ldb_set_opaque(
+			samdb,
+			LDAP_REFERRAL_SCHEME_OPAQUE,
+			discard_const_p(char *, scheme));
+		if (ldb_ret != LDB_SUCCESS) {
+			goto reply;
+		}
+	}
+
 	ldb_set_timeout(samdb, lreq, req->timelimit);
 
 	if (!call->conn->is_privileged) {

source4/ldap_server/ldap_server.c

@@ -436,6 +436,7 @@ static void ldapsrv_accept_tls_done(struct tevent_req *subreq)
 	}
 
 	conn->sockets.active = conn->sockets.tls;
+	conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;
 	ldapsrv_call_read_next(conn);
 }
 

source4/ldap_server/ldap_server.h

@@ -24,6 +24,11 @@
 #include "system/network.h"
 #include "lib/param/loadparm.h"
 
+enum ldap_server_referral_scheme {
+	LDAP_REFERRAL_SCHEME_LDAP,
+	LDAP_REFERRAL_SCHEME_LDAPS
+};
+
 struct ldapsrv_connection {
 	struct ldapsrv_connection *next, *prev;
 	struct loadparm_context *lp_ctx;
@@ -47,6 +52,7 @@ struct ldapsrv_connection {
 	bool is_privileged;
 	enum ldap_server_require_strong_auth require_strong_auth;
 	bool authz_logged;
+	enum ldap_server_referral_scheme referral_scheme;
 
 	struct {
 		int initial_timeout;